Millions of bank accounts around the world are at the risk of a massive security flaw that has crippled several mobile banking apps from some of the major lenders, according to a new study.
The vulnerability was pointed out by researchers at the University of Birmingham who have tested a new security tool called Spinner on a sample of 400 apps. They found that several banking apps were affected by the flaw that could allow hackers to retrieve username, password and pin code through a "man in the middle attack."
"We use Spinner to analyse 400 security-sensitive Android and iPhone apps. We found that 9 apps had this flaw, including two of the largest banks in the world: Bank of America and HSBC," researchers said in the study, adding that the security flaw has left tens of millions of users vulnerable to hackers.
"Our tests find that apps from some of the world's largest banks contain the flaw, which if exploited, could enable an attacker to decrypt, view and modify traffic (including login credentials) from the users of the app," researchers said.
Thankfully, some of Britain's biggest banks, including HSBC, Natwest and Co-Op Bank, have now fixed the vulnerability, after reportedly leaving customers open to attackers for six to eight months.
Although researchers said that it wouldn't be possible to tell how many people, if any, had been affected by the flaw, criminals could have easily exploited it to steal money from victims' accounts as long as they were using the same public Wi-Fi network to connect.
"It's impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network," Telegraph quoted Dr Tom Chothia, co-author of the study, as saying.
According to researchers, the massive security glitch was mainly caused due to poor administration of a technology called "certificate pinning," which is a common feature in security-sensitive applications. But in this case, the technology made it difficult for testers to identify serious security issues.
"This paper shows that certificate pinning can (and often does) hide the lack of proper hostname verification, enabling MITM attacks," researchers said.
In computer security, a man in the middle or MITM attack is an attack where the hacker secretly relays and possibly modifies the communication between two parties who believe they are directly communicating with each other.
The researchers, meanwhile, have worked with the banks and the UK government's National Cyber Security Centre to address the issue. While the current versions of the affected apps are now said to be secure, it is highly recommended for customers to always use the most recent version of the app.
Correction: Bank of America clarified that the vulnerability identified in this report was resolved in Bank of America's Health app in January 2016. The infected app is no longer available as of June 2017. The article has since been corrented.