Approov reports that 77% of 30 popular mobile health apps for clinicians have hardcoded application programming interface keys, making them vulnerable to interception by attackers, according to Threatpost. With each tested app having an average 772,619 downloads, the vulnerabilities leave around 23 million mHealth users at risk for API attacks that could leak sensitive information, researchers said. The report further notes that another 7% of apps contained hardcoded usernames and passwords, 27% lacked code-obfuscation protections against reverse engineering, none featured certificated pinning which safeguards against man-in-the-middle attacks and half of the APIS failed to authenticate requests using tokens. All API endpoints that were tested also proved vulnerable to Broken Object Level Authorization attacks, which left users’ personal health information and personally identifiable information accessible to hackers despite not being assigned to the breached clinician’s account. Threat actors have long been drawn to lucrative opportunities in the health care sector, with medical records fetching around $1,000 each in cybercriminal markets combined with the lack of security among innovation-focused mobile health app developers, researchers said.
Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.
Attackers who successfully activated "CSS Combine" and "Generate UCSS" within Page Optimization settings could leverage the vulnerability not only to exfiltrate sensitive data but also to elevate privileges and facilitate website takeovers for further compromise, according to an analysis from Patchstack.
Both iOS and Android devices have been targeted with attacks involving the fake app dubbed "SB-INT," which lured victims into manually trusting the Enterprise developer profile before triggering the registration process that would seek additional information from victims.