Several banking apps let hackers steal user credentials using ‘man in the middle’ attacks
A critical security flaw in several banking apps that allowed hackers to conduct man-in-the-middle attacks and steal credentials of users has been plugged after being flagged by researchers at the University of Birmingham.
The critical security flaw that allowed hackers to conduct man-in-the-middle attacks was present in 9 apps including some banking apps and TunnelBear, one of the world’s most popular VPN apps.
In a research paper titled ‘Semi-Automatic Detection of Pinning without Hostname Verification‘, researchers at the University of Birmingham have highlighted a critical security flaw in certificate verification processes of several banking apps that allowed hackers to conduct man-in-the-middle attacks and steal credentials of millions of users.
The flaw was observed in as many as 9 popular banking apps including those of Bank of America, Meezan Bank, HSBC, Smile Bank and VPN provider TunnelBear. All of these firms patched their respective vulnerabilities before the publication of the report.
‘Like web browsers, mobile platforms such as Android and iOS rely on a trust store containing a large number of CA root certificates. If a single CA acted maliciously or were compromised, which has happened before, valid certificates for any domain could be generated allowing an attacker to Man-in-the-Middle all apps trusting that CA certificate,’ the researchers said.
To ensure that their customers are not impacted in case hackers manage to compromise a trusted CA, many banks are now implementing Certificate Pinning, a process where developers only accept certificates signed by a single pinned CA root certificate. While analysing apps that had implemented Certificate Pinning, the researchers observed that while such apps correctly checked that server certificates were signed by the root CA, they failed to verify the hostname.
The researchers used a new tool to determine the presence of apps that pinned to a root or intermediate certificate but did not check the hostname of the host. Out of 400 banking, stock trading, cryptocurrency and VPN apps in both Android and iOS platforms, they found 9 apps that did not verify hostnames and were thus vulnerable to man-in-the-middle attacks.
‘For apps that are found to pin the certificate but not check the hostname, an attacker could then go to the trusted third party used by the certificate and obtain a valid certificate in their own name. This certificate can then be used by the attacker to trick a victim’s app into thinking it’s communicating with the server it expects, and hence decrypt and/or modify any sensitive traffic,’ they said.
They added that lack of hostname verification is now the most common flaw that leaves high-security apps vulnerable to hackers. In fact, it is more common than the practice of accepting self-signed certificates which was misued by hackers in the past to great effect. As many as five HSBC apps, namely HSBC, HSBC Business, HSBCnet, HSBCPrivate and HSBC Identity were found to be lacking hostname verification.
After analysing HSBC apps, the researchers concluded that by exploiting the said vulnerability in Certificate Pinning, hackers can, by conducting man-in-the-middle attacks, ‘intercept and modify the downloaded config file to force a victim to send authentication details to a domain under the attackers control’.
For example, if a hacker is using the same Wi-Fi network as an app user, he can use DNS spoofing to redirect the victim’s traffic to his network. Al the same time, he can also create a fake hotspot to intercept the victim’s traffic and provide the app with a certificate signed by the certificate that the app pins to. However, the hacker will need to purchase a certificate so that he can conduct the latter operation.
‘The added complication of certificate pinning, which appears to be on the rise, has spawned a new class of vulnerabilities. These are more subtle and hence have not been detected by existing detection techniques. Moreover, our findings are testament to the feedback received from developer interviews which found that although general understanding of pinning is good, implementation complexity has made it difficult to roll out,’ they concluded.