Security experts have long recognized the benefit of limiting the number of unsuccessful login attempts that users can make to online accounts. While such limits make it possible for attackers to lock out legitimate users, such denial-of-service drawbacks are generally outweighed by the protection they provide against online password cracking attempts, in which attackers make huge numbers of password guesses against specific user accounts in the hopes of trying the right one. Until last September, Apple`s iCloud service failed to limit the number of login attempts to that service, a shortcoming that may have contributed to last year`s mass celebrity hack and nude photo thefts.
Despite Apple mending its ways, many smartphone apps still allow users to make an unlimited number of login attempts. That failure allows attackers to cycle through long lists of the most commonly used passwords. Given the difficulty of entering strong passwords on smartphone keyboards, it`s a likely bet that it wouldn`t be hard to compromise a statistically significant number of accounts over a period of weeks.
According to research from smartphone security firm AppBugs, dozens of Android and iPhone apps downloaded more than 300 million times contain no limits on the number of logins that can be attempted. Per the company`s disclosure policy, researchers give app developers up to 90 days to fix vulnerabilities before making them public. That means most of the 50 or so apps identified by AppBugs still aren`t being made public. Still, the grace period has expired on at least 12 apps, including those from CNN, ESPN, Slack, Expedia, Zillow, SoundCloud, Walmart, Songza, iHeartRadio, Domino's Pizza, AutoCAD, and Kobo. Three other apps, from Wunderlist, Dictionary, and Pocket, were found to be vulnerable but were later fixed after AppBugs brought the weaknesses to the developers` attention.
As noted earlier, rate limiting has a dark side because it makes it possible for attackers to lock legitimate users out of their own accounts. Besides putting rate limiting in place, app developers may want to consider two-factor authentication as a means of preventing the compromise of user accounts.
Read original article
No comments:
Post a Comment