10 Percent of iOS Apps Have a Data Compromising Vulnerability

A common programming error exposes almost 10 percent of iOS apps to attacks that can result in their data being wiped or malicious code being executed in their sandbox.

The vulnerability was discovered by researchers from a team of Chinese iOS jailbreakers called Pangu Team and has been dubbed ZipperDown. The researchers didn’t release technical details about the flaw but alerted iOS app developers publicly of its existence so they can ask for details privately and check their apps for its presence.

Pangu found the issue in multiple iOS apps they were auditing for their customers. This gave them the idea to build a signature for it in their mobile threat intelligence platform called Janus and perform some wider scans.

They found that 15,978 out of 168,951 tested apps are potentially vulnerable. The programming error that causes the security flaw is not new so they weren’t expecting so many apps to suffer from it.

Their detection signature is not 100 percent reliable so to be certain that an app is truly affected it needs to be analyzed manually. This is why Pangu advises developers of the 16,000 apps they identified—the list is public—to contact them for more details.

The impact of ZipperDown depends on the privileges of each affected application, the researchers said on a website dedicated to the flaw. “In general, attackers could overwrite the affected app’s data, or even gain code execution in the context of the affected app.”

According to the Pangu Team, the typical attack vector for this vulnerability is through traffic hijacking and spoofing, for example over insecure wireless networks. A video demonstration shows how the researchers managed to execute arbitrary JavaScript code in the context of the Weibo app in an unsafe Wi-Fi environment.

The team also manually verified that popular Chinese apps Weibo, MOMO, NetEase Music, QQ Music and Kwai, which have more than 100 million users, are vulnerable. In addition, they found similar issues in many popular Android applications, but they plan to release a report about those at a later time.

Developers hopefully will check their applications and correct the error where needed. But in general, users should always use a virtual private network (VPN) connection when accessing the internet over public wireless networks, as this prevents traffic spoofing and other man-in-the-middle attacks.

Cisco Fixes 3 Critical Flaws in Digital Network Architecture Center

Cisco Systems released security updates for its Cisco Digital Network Architecture (DNA) Center to fix three critical vulnerabilities, including one caused by hard-coded and undocumented administrative credentials.

Cisco DNA is a software-driven architecture that helps enterprises simplify their network operations with a focus on automation, virtualization, analytics and cloud-based management. The Cisco DNA Center is a physical appliance that provides a management dashboard and serves a central role in enterprise networks built using the DNA architecture.

Cisco DNA Center Software prior to release 1.1.3 contains an undocumented administrative account with static credentials that allows remote attackers to authenticate and execute commands on the device with root privileges. There is no workaround for this critical vulnerability, so users are strongly advised to upgrade to the latest version of the software.

A second authentication-related vulnerability patched in the DNA Center software is located in the API gateway and can be exploited by sending malformed URLs to the application. A successful exploit can provide attackers with access to critical services and elevated privileges inside the DNA Center.

A third critical vulnerability was patched in the Kubernetes container management subsystem of the DNA Center and is the result of an insecure default configuration. Attackers who exploit this flaw can execute commands with elevated privileges within provisioned containers, potentially leading to their full compromise.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin