Application Security

7/6/2018
10:15 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Trading Platforms Riddled With Severe Flaws

In spite of routing trillions of dollars of stock and commodity trades every day, financial cousins to online banking applications are written very insecurely.

While many banking application developers have made great strides in hardening their software from attacks, much of the rest of the fintech application field is wide open for ownage through very basic but severe vulnerabilities reminiscent of the kind we saw nearly a decade ago.

Next month at Black Hat USA, a researcher from IOActive will detail some stark examples of this during a presentation that will show the depths of flaws found present in stock-trading platforms used by millions of traders around the globe.

"When I'm testing a web platform or mobile platform, it is as if I'm testing an application from 2010 or 2012," says Alejandro Hernandez, senior consultant for IOActive. This is a follow-on from initial research he presented last year on a limited number of mobile-trading applications. This year, he expanded the scope to desktop, web application, and mobile-trading software offered by a wide range of financial institutions. 

Hernandez found a universal lack of security controls up and down the list of 79 applications he tested. Across all three categories, he saw examples of decades-old protocols being used for communication that were sending transmissions unencrypted. He also found examples of unencrypted storage, unencrypted log files, and no enforcement for strong password policies or automatic logout.

"You'd think by the nature of the technology that these kind of technologies would be super secure," Hernandez says. "You assume, well, if my mobile-banking app or home-banking websites are secure – or at least somewhat secure – that trading applications where trillions of dollars are traded per day would also be secure. But that's not the case."

Specifically in mobile-trading applications, Hernandez found many did not even perform SSL certificate validation to prevent man-in-the-middle attacks. Additionally, few of them had any kind of anti-reversing mitigations; upon reverse-engineering them, he found that most included hard-coded secrets in the code. In the web applications, he found session cookies still created without security flags and very few of them using HTTP security headers. 

Meantime, because the desktop applications include full feature sets, they have even more interesting flaws due to a larger attack surface. For example, the desktop applications frequently use a customized programming language that make it easy for traders to install add-ons and plug-ins. But this feature also opens them up to being easily tricked into installing malicious plug-ins, such as a malicious trading robot or malicious financial indicator function. Similarly, the way these desktop applications are designed to interact and communicate with other trading technologies, they're frequently wide open to denial-of-service (DoS) conditions.  

The applications tested are primarily used by consumer investors, but Hernandez says a number of institutional investors also rely on them. The malicious applications of all these flaws are seemingly limitless. In addition to run-of-the mill identity theft, bad actors could use information stolen from well-known traders to shape the way they invest. They could perform DoS attacks, and these flaws could be used to install backdoors and other hostile code that most traders wouldn't ever be able to detect.

"And this research I did only scratches the surface," Hernandez says. "It's only the end-user platforms. We haven't tested the back-end services, the back-end networks, or the back-end protocols they use in exchanges."

Related Content: 

 

 
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ronrob123
50%
50%
ronrob123,
User Rank: Apprentice
7/25/2018 | 2:31:45 PM
crypto scams
How can we route out the the theiving rogues who take your money on the pretence of investing your funds then NEVER give it back when you want it, although they tell you the money is yours at ALL times, do you think that we could approach the owners of their ip address to get them to put pressure on them to either do what they say or get exposed?. 

  And yes I have been conned out of £7332 by a company called "digitalgoldxchange.com" with an ip address of (sorry) [23.83.222.3] (that is the originating ip address)
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17182
PUBLISHED: 2018-09-19
An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations...
CVE-2018-17144
PUBLISHED: 2018-09-19
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...