Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Most mobile app users tend to blindly trust that the apps they download from app stores are safe and secure. But that isn't always the case.


To demonstrate the pitfalls and identify vulnerabilities on a large scale, cybersecurity and machine intelligence company CloudSEK recently provided a platform called BeVigil where individuals can search and check app security ratings and other security issues before installing an app.


A latest report shared with The Hacker News detailed how the BeVigil search engine identified over 40 apps - with more than a cumulative 100 million downloads - that had hardcoded private Amazon Web Services (AWS) keys embedded within them, putting their internal networks and their users' data at risk of cyberattacks.


BeVigil finds popular apps leaking AWS keys


The AWS key leakage was spotted in some of the major apps such as Adobe Photoshop Fix, Adobe Comp, Hootsuite, IBM's Weather Channel, and online shopping services Club Factory and Wholee. The findings are the result of an analysis of over 10,000 apps submitted to CloudSEK's BeVigil, a mobile app security search engine.





" AWS keys hardcoded in a mobile app source code can be a huge problem, especially if it's [Identity and Access Management] role has wide scope and permissions," CloudSEK researchers said. "The possibilities for misuse are endless here, since the attacks can be chained and the attacker can gain further access to the ..