A popular mobile application that provides financial market research material operates without a measure of encryption, putting user information, including credentials and strategic financial interests at risk.
The Seeking Alpha mobile app for Android and iOS also leaks everything from HTTP cookies to stock positions the user may be interested in. The app is not a trading app, but researchers at Rapid7 who found the lack of encryption said attackers on a wireless network, for example, could sniff clear text user names and passwords reuse the credentials elsewhere.
Further frustrating the situation is a lack of communication from Seeking Alpha. Rapid7 researcher Derek Abdine found the vulnerability and tried to contact Seeking Alpha starting May 3. Rapid7 made a private disclosure to CERT on May 19. Seeking Alpha also did not respond to a request for comment from Threatpost. According to Google Play statistics, the Android version of the app has been downloaded between 500,000 and 1 million times.
“It’s not a trading platform like eTrade where you can execute trades, which is good because that would be a disaster,” said Tod Beardsley, Rapid7 security research manager. “This gives up your user name and password, which in and of itself is bad. The fear is that people who use this app would tend to reuse usernames and passwords elsewhere.”
An attacker in a man-in-the-middle position on a wireless network, or upstream with some sort of control over an ISP could pull off an attack against app traffic.
“It’s a pretty simple attack; it’s how people normally use their phone by connecting to [a carrier] in the clear,” Beardsley said. “You can pretend to be them and set up your own access point.”
The app uses HTTP to poll stock ticker symbols for the user, which could be used to profile victims for phishing attacks, for example. Rapid7 said HTTP is also used in the app’s authentication sequence, sending a user’s email address, password, and session token in the clear.
“It’s a really unusual practice today,” Beardsley said of the lack of encryption. “That’s the surprising part post-Snowden, most major sites have HTTPS enabled by default, and things like certificate pinning that make sure things are actually secure and doing things in an encrypted way.
“To see something not do it at all is surprising. In a perfect world, we’d like to see developer kits (from Google and Apple) throw up a flag.”
Stranger still is that that Seeking Alpha website redirects HTTPS browser requests to the site to HTTP, rather than the reverse which is considered a best practice, including during authentication. Rapid7 says the preference for HTTP over encrypted connections seems to permeate Seeking Alpha’s engineering philosophy.
“It’s backwards from what we typically see,” Beardsley said. “The app and site are strongly and strangely anti-encryption, and we cannot get hold of the maintainers of the site. It’s possible they don’t know. The only recourse is letting users know so they can make their own decision.
The only mitigation for now is to either avoid using the Seeking Alpha mobile apps altogether, or at least connect through a mobile VPN. Rapid7 cautions that this would protect communication only as far as the VPN endpoint.