Dozens of phone apps with 300 million downloads vulnerable to password cracking

Smartphone apps from Walmart, CNN, ESPN, and dozens of other organizations put user accounts at risk of compromise because they allow attackers to make an unlimited number of login attempts, according to recently published research. Security experts have long recognized the benefit of limiting the number of unsuccessful login attempts that users can make to online accounts. While such limits make it possible for attackers to lock out legitimate users, such denial-of-service drawbacks are generally outweighed by the protection they provide against online password cracking attempts, in which attackers make huge numbers of password guesses against specific user accounts in the hopes of trying the right one.

According to research from smartphone security firm AppBugs, dozens of Android and iPhone apps downloaded more than 300 million times contain no limits on the number of logins that can be attempted. Per the company's disclosure policy, researchers give app developers up to 90 days to fix vulnerabilities before making them public. That means most of the 50 or so apps identified by AppBugs still aren't being made public. Still, the grace period has expired on at least 12 apps, including those from CNN, ESPN, Slack, Expedia, Zillow, SoundCloud, Walmart, Songza, iHeartRadio, Domino’s Pizza, AutoCAD, and Kobo. Three other apps, from Wunderlist, Dictionary, and Pocket, were found to be vulnerable but were later fixed after AppBugs brought the weaknesses to the developers' attention.