According to experts, account hacking takes from 30 minutes to one month.
Even some of the most popular applications allow an unlimited number of authorization attempts to a user account, which means they are not protected from so-called brute-force attacks. We are talking about such common programs for Android and iOS as SoundCloud, ESPN, CNN, Expedia and Walmart.
According to a report by AppBugs researchers who analyzed 53 common applications (with a total of 600 million downloads), all developers of vulnerable products were notified of the presence of flaws.
At the same time, independent experts give a 30-day grace period for the release of an update, after which information about the corresponding application is published in the public domain.
Some programs containing vulnerable authorization mechanisms have already been disclosed, and their full list will be available on July 30. However, some of the developers have already released security updates for their platforms (Wunderlist, Dictionary and Pocket).
According to AppBugs experts, in most cases, attackers need from 30 minutes to one month to hack a user account with brutus.
The FIDO standard will turn users into hostages of the Apple and Android ecosystems.
Removing passwords can make it harder for users to switch between different ecosystems. That is, if instead of passwords, the user uses access keys on their Apple devices, he will not be able to transfer them to Android devices, and vice versa.
A world without passwords is the “blue dream” of the FIDO Alliance, whose mission is to develop and promote authentication standards that “will help reduce the world’s over-reliance on passwords.”
Instead of requiring users to enter passwords to log in to websites or applications, FIDO offers to authorize users using their own devices (for example, an iPhone can authorize a user using Face ID).
The first example of the FIDO standard working on Apple devices was presented in 2019. Later, the company officially confirmed that it intends to implement its support.
The standard is backed by tech giants like Amazon, Arm, Facebook, Google, Intel, Microsoft, and Samsung. The FIDO Alliance board of directors also includes American Express, ING, Mastercard, PayPal, Visa and Wells Fargo.
However, as Fast Company noted, in its current form, the standard does not in any way provide for the possibility of switching between ecosystems. Access keys are stored locally on the devices, so if a user wants to change their iPhone to an Android device or vice versa, they will have serious authorization problems. FIDO simply does not provide for the ability to transfer all user access keys from one ecosystem to another.
In turn, passwords are very easy to transfer. Popular browsers can import passwords from other browsers with just a few clicks, and most password managers can upload user credentials to a .csv spreadsheet, allowing users to manually upload them to alternative services.
Theoretically, the problem with the transfer of access keys is quite easy to solve – you just need to allow the export and import of access keys. However, given that the FIDO standard is positioned as a more secure alternative to passwords, the alliance is unlikely to allow this. So, if users can move their access keys between providers, then hackers will easily take advantage of this. At present, it is difficult to say when and how the FIDO Alliance intends to solve this problem.