Web App Developers Putting Millions At Risk

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/vulnerabilities---threats/web-app-developers-putting-millions-at-risk/d/d-id/1320720

By Jai Vijayan
Dark Reading
June 4, 2015

A troubling failure by many web application developers to properly secure 
how their apps connect to mobile backend-as-a-service systems like 
Facebook’s Parse and Amazon’s AWS could be leaving sensitive information 
on millions of Internet users vulnerable to compromise.

Researchers at Germany’s LOEWE Center for Advanced Security Research 
Darmstadt (CASED) recently issued an alert on the issue, claiming they had 
found a stunning 56 million sets of unprotected data in cloud databases 
like Parse and AWS. The exposed records included email addresses, 
passwords, health records, and other sensitive data belonging to hapless 
users of web applications that use these backend web databases, the 
researchers said.

At issue is the manner in which many web developers integrate support for 
BaaS in their applications, Eric Bodden, principal investigator in secure 
services at CASED said in a FAQ on the topic.

Cloud databases like Parse and AWS make it easy for web application 
developers to enable data storage and synchronization across multiple 
platforms like iOS, Android, Windows, and OS X.  Backend-as-a-service 
technologies eliminate the need for application developers to set up their 
own servers for storing and synchronizing user data. Instead, with just a 
few lines of authenticating code, the developers can connect their apps to 
backend systems like Parse and AWS and enable the same capability for 
users. The weakest form of authentication uses a simple API-token or a 
number that is embedded into the app's code.

[...]

--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/