Israel-based Skycure stumbled onto the problem when the team noticed their own app redirecting to a wrong address. It wasn’t long before they realized they could do this with other apps, too, and decided it was worth further investigation…
So how does this exploit work ? A hacker must first perform an attack over an unsecured Wi-Fi connection. Then, when the end user opens a vulnerable app, the attacker will be able to intercept the HTTP connection and gain full control.
Here’s a nice overview of the vulnerability by Skycure’s CTO Yair Amit (via ArsTechnica):
“Nowadays almost all mobile applications interact with a server to send or retrieve data, whether it’s information to display or commands to be executed. Many of these applications are susceptible to a simple attack, in which the attacker can persistently alter the server URL from which the app loads its data (e.g., instead of loading the data from real.site the attack makes the app persistently load the data from attacker.site).
While the problem is generic and can occur in any application that interacts with a server, the implications of HRH for news and stock-exchange apps are particularly interesting. It is commonplace for people to read the news through their smartphones and tablets, and trust what they read. If a victim’s app is successfully attacked, she is no longer reading the news from a genuine news provider, but instead phoney news supplied by the attacker’s server. Upon testing a variety of high profile apps, we found many of them vulnerable.â€
here’s a video demonstrating how such an attack would work:
If you think you are safe, then you are laughing at yourself. But don’t worry guys ! If you’re a developer, Skycure offers up a simple tutorial on how to ensure your apps don’t fall prey to request hijacking. And the team says that end users who are concerned an app may have been hijacked should remove it and reinstall it.