The Curious Case of the Exposed Passwords!

The strange case of exposed passwords…

Researchers at Northeastern University identified more than 20 iOS, Android, and Windows Phone apps that exposed users’ credentials, including passwords, to eavesdroppers. Their experience with password vulnerabilities was generally positive in the end, but there’s still room for improvement. They contacted developers to fix these security vulnerabilities, and what they learned was both surprising and enlightening.

They started with a simple idea: identify how much of users’ personal information is exposed over the Internet when using mobile apps, and allow users to do something about it. This idea led them to create the ReCon project , which hundreds of people worldwide use to understand their privacy when using mobile devices.

On the Internet, Everyone Knows You’re a Dog

As you use mobile devices with Internet connections, not only are you fetching interesting information (e.g., Facebook posts, tweets, news, and weather), you are probably also sharing personally identifiable information (PII) such as your name, email address, GPS location, gender, sexual orientation, and credentials such as username and passwords for logging into apps. There are many legitimate reasons for apps to send PII over the Internet — for example, your navigation apps like Google Maps and Waze need to know your location to give you real-time driving directions. Ideally, this information is protected from eavesdroppers using encryption; however, we have found substantial information exposed in plaintext. Like the famous New Yorker cartoon about the dog using the Internet, anyone can know who you are based on your mobile device’s Internet traffic (even if you are a dog).

The Curious Case of the Exposed Passwords!

Perhaps the most sensitive PII for users is their login credentials, namely usernames and passwords. An eavesdropper who obtains this information can impersonate the user and get access to their online accounts. Further, because users often use the same password to access multiple sites, a single password exposed to an eavesdropper could lead to the compromise of many accounts, from Facebook to online dating and banking sites.

Read the full article from here