Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar   May »
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for April 10th, 2014




    The severity of the Heartbleed bug has led countless websites and servers scrambling to address the issue. And with good reason—a test conducted on Github showed that more than 600 of the top 10,000 sites (based on Alexa rankings) were vulnerable. At the time of the scanning, some of the affected sites included Yahoo, Flickr, OKCupid, Rolling Stone, and Ars Technica.

    All the extended coverage of the flaw begs the question, “Are mobile devices affected by this?” The short answer: yes.

    Mobile apps, like it or not, are just as vulnerable to the Heartbleed Bug as websites are because apps often connect to servers and web services to complete various functions. As our previous blog entry has shown, a sizable number of domains are affected by this vulnerability.

    Suppose you’re just about to pay for an in-app purchase, and to do so you need to input your credit card details. You do so, and the mobile app finishes the transaction for you. While you’re getting on with your game, your credit card data is stored in the server that the mobile app did the transaction with, and may stay there for an indeterminate period of time. As such, cybercriminals can take advantage of the Heartbleed bug to target that server and milk it of information (like your credit card number). It’s as simple and easy as that.

    What about apps that don’t offer in-app purchases? Are they safe from this vulnerability? Not really—as long as it connects to an online server, it’s still vulnerable, even if your credit card isn’t involved. For example, your app could ask you to ‘like’ them on a social network, or ‘follow’ them on yet another for free rewards.

    Suppose you decide to do so, and tap ‘OK’. Chances are your app will open the website on their own, through their own in-app browser, and have you log into the social network there. While we’re not saying the social networks you go are vulnerable to the Heartbleed bug, the possibility is there, and thus the risk is there as well.

    We looked deeper into the matter, and inspected some web services used by popular mobile apps and the results show that the vulnerability still exists.

    We scanned around 390,000 apps from Google Play, and found around 1,300 apps connected to vulnerable servers. Among them are 15 bank-related apps, 39 online payment-related, and 10 are online shopping related. We also found several popular apps that many users would use on a daily basis, like instant messaging apps, health care apps, keyboard input apps–and most concerning, even mobile payment apps. These apps use sensitive personal and financial information—data mines just ripe for the cybercriminal’s picking.

    What can be done against the Heartbleed bug, then? Not a whole lot, we’re afraid. We can tell you to change your password, but that’s not going to help if the app developers—and the web service providers as well—don’t fix the problem on their end. This means upgrading to the patched version of OpenSSL, or at least turning off the problematic heartbeat extension.

    Until then, what we can advise you to do is to lay off the in-app purchases or any financial transactions for a while (including banking activities), until your favorite app’s developer releases a patch that does away with the vulnerability. We’ll keep you updated in the meantime as to all that’s happening with the Heartbleed bug.

    Update as of April 11, 2014, 8:45 A.M. PDT

    After doing a second round of scanning, we have found that around 7,000 apps are connected to vulnerable servers. 

    For other posts discussing the Heartbleed bug, check these other posts:

     



    In trying to gauge the impact of the Heartbleed vulnerability, we proceeded to scanning the Top Level Domain (TLD) names of certain countries extracted from the top 1,000,000 domains by Alexa. We then proceeded to separate the sites which use SSL and further categorized those under “vulnerable” or “safe.” The data we were able to gather revealed some interesting findings.

    As of the moment, we see an overall percentage of around 5% in terms of sites affected by CVE-2014-0160. The TLDs with the largest percentage of vulnerable sites are .KR and .JP. It’s interesting to note that sites from the .GOV TLD rank fifth on the list.

    Figure 1. A breakdown of vulnerable sites per country
    (Click image above to enlarge)

    On the other hand, we have significantly low number of vulnerable sites under .FR and .IN TLDs. We just think of a few theories why this is so. Maybe they haven’t updated to the version of OpenSSL which was vulnerable. They could also have immediately patched vulnerable sites. Another possible reason is in these countries, relatively few servers use the most recent versions of Linux (and so use older versions of OpenSSL without this vulnerability).

    We are going to rescan selected TLDs in a few days to monitor possible changes. In the meantime, we advise website administrators to update OpenSSL to protect their users.

    Update as of April 10, 2014, 10:18 A.M. PDT: The title has been edited for clarity. 

    For other posts discussing the Heartbleed bug, check these other posts:

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice