Eavesdropper: The Mobile Vulnerability Exposing Millions of Conversations

11.10.17 | Blog Post

Appthority has discovered a significant data exposure vulnerability we’ve named Eavesdropper that affects almost 700 apps in enterprise environments. The vulnerability is caused by including hard coded credentials in mobile applications that are using the Twilio Rest API or SDK. By hard coding their credentials, the developers have effectively given global access to all metadata stored in their Twilio accounts, including text/SMS messages, call metadata, and voice recordings.

Eavesdropper poses a serious enterprise data threat because a would-be attacker could access confidential knowledge about a company’s business dealings and make moves to capitalize on them for extorting actions or personal gain. Although Appthority has not extensively analyzed the recordings out of respect for privacy, due to the nature of the apps we believe that the data may potentially include business and personal discussions such as negotiations, pricing discussions, confidential recruiting calls, proprietary product and technology disclosures, health diagnoses, market data, and M&A planning. A motivated attacker with automated tools to convert the audio to text and search for specific keywords will almost certainly be rewarded with valuable data.

TIPS #11: How can companies detect and respond to Living Off the Land (LOL) incidents?

Blog Post

Issue: Attackers are Living Off the Land by using native tools within business systems- and many companies can’t detect them. Attackers are increasingly Living Off the Land (LOL) by manipulating legitimate credentials, tools, data, and…

Blog Post

On behalf of Forgepoint Capital, I’m proud to announce our $18 million (€17 million) Series A investment in Lynx with the participation of Banco Santander. When I first met Co-Founder and CTO Carlos Santa Cruz through our relationship with…

Blog Post

Forgepoint Capital is proud to participate in the Santander X Global Challenge: Cyberprotect the Future alongside Banco Santander to advance cybersecurity innovation and investment globally. We would like to congratulate the 6 winning companies…

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Eavesdropper: The Mobile Vulnerability Exposing Millions of Conversations

11.10.17 | Blog Post

You may also enjoy:

TIPS #11: How can companies detect and respond to Living Off the Land (LOL) incidents?

Blog Post

Lynx: AI and ML to Combat Fraud and Financial Crime

Blog Post

The Santander X Global Challenge: Meeting the Innovators

Blog Post