UK university reveals security flaw in millions of banking apps
The researchers developed a tool to perform semi-automated security testing of mobile phone apps. After running the tool on a sample of 400 security critical apps, they identified a critical vulnerability in banking apps; including those from HSBC, NatWest, Co-op, Santander and Allied Irish Bank.
This vulnerability allowed an attacker, who is connected to the same network as the victim (e.g. public WiFi or corporate), to perform a so called “man in the middle attack” and retrieve the user’s credentials such as username and password/PIN code.
Dr Tom Chothia, who led the research at the University of Birmingham, says: “It’s impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network.”
Dr Flavio Garcia, a University of Birmingham researcher, adds: “Certificate pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper hostname verification.”
The team at the university said they do not know whether customers were actively hacked due to the flawed apps – which have now been updated.
The researchers worked with the banks involved, and the UK Government’s National Cyber Security Centre (NCSC) to fix the vulnerabilities, and the current versions of all the apps affected by this pinning vulnerability are now secure.