Friday, March 29, 2024

40+ Apps With More Than 100 Million Downloads Exposing AWS API Keys

The cybersecurity researchers from CloudSEK has recently discovered more than 40 apps which has nearly 100 million downloads, are continuously targeting the AWS API keys.

Amazon Web Services (AWS) is generally known for its cloud computing platform for enterprises, small businesses, and not only that even it also deals with the government bodies around the globe.

AWS services and APIs are very popular and these services are being used by the millions of companies worldwide. The main purpose of using AWS services and APIs is that it simply helps the companies and organisations to fulfill their infrastructure needs and hosting requirements.

Not only this companies also uses these services, to enable their websites and mobile apps. That’s why the analysts claimed that AWS and APIs deals with all delicate and sensitive information.

Critical Vulnerability in How Developers of Apps UseThe AWS

Almost every company prefer using APIs, as this services makes work easier for the developers. These services helps to build apps that generally interact with different sources.

However, APIs help the developers of company to manage the data flowing from one app to other very efficiently. APIs are the key to AWS, therefore the API based apps like Facebook and LinkedIn, were available for all other apps out there.

These apps helps others to verify there users identities; and after research, the security researchers came to know that there are apps that uses private keys and that are kept secure. 

The API keys are being easily discovered by malicious hackers, and the analysts asserted that the hackers can later use them to compromise their data and networks as well. 

But apart from all these things, this critical vulnerability is continuously occurring in the APIs mainly, not in AWS services.

Over 10,000 Apps are Analyzed by The Experts

The cybersecurity experts have listed nealy 10,000 apps to BeVigil for further analysis, and after analysis they came to know the more than 40 apps have hardcoded all the private AWS keys.

Moreover, CloudSEK has disclosed all the security that are concerns to AWS and also the affected companies worldwide. And here are the apps whose keys are already deactivated:-

How AWS keys work and why these keys were hardcoded in the APK?

After an investigation, the experts affirmed a brief summary regarding how AWS keys works; this keys enable the programmatic access to AWS services and it does not ask the user to login themselves.

But now the question arises that why these keys were hardcoded in APK? Here are the reasons mentioned below:-

Acquiring all the static files from s3 buckets, so that later it can be reveal in the mobile app.

The data that has been collected from the app users to s3 were generally being uploaded. 

Conveying emails through the AWS SES service.

Leaked AWS Keys’ Effect 

AWS is an app that is available in the Google Play Store, with more than half a million downloads; And it also has hardcoded AWS key, and confidential secrets in its “strings.xml file”.

However, the keys that are got leaked have access to various AWS services and they also includes ACM (Certificate Manager), OpsWorks, ElasticBeanstalk, Kinesis, S3.

But, after an analysis, the report claims that the AWS keys has have access to 88 S3 buckets. According to the cybersecurity experts these 88 buckets contain nearly 10,073,444 files and the information that was being exposed is total of 5.5 Terabytes.

So, all these were deployed to host the files and the data that are being generated from the projects.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Website

Latest articles

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles