As many as 600 million smartphone users could be at risk of having their online accounts cracked after new research revealed that many of the world’s most popular apps allow an unlimited number of log-in attempts.
Mobile security firm AppBugs tested 100 of the most popular Android and iOS apps supporting password protected accounts – with each registering at least one million downloads.
It was shocked to find that 53% had a password brute force vulnerability, allowing attackers to guess away until they crack the credential.
Of these, the affected Android apps had been downloaded 300 million times. Although Apple does not release such data, AppBugs estimated the download number for the affected iOS apps to be similar.
The firm explained the following:
“According to this study on 70 million passwords, the strength of user passwords typically contains 10-20 bits of security. This means that it only takes the attacker 1024-1048576 guesses to find the correct one. Assuming the attacker makes login attempts to the vulnerable service 30 times per minute, it takes him half an hour to 24 days to guess a password, depending on the strength of the target password. This is a scary estimate. Attackers have no problem launching the attacks from multiple IP addresses on multiple user accounts in parallel and often can make guesses more than 30 times per minute. If today the attacker launches such attack against most user accounts in parallel, he will be able to get most user passwords within 24 days.”
Read More here: