The popular SeekingAlpha mobile application for tracking stocks and shares on Android and iOS devices harbours a serious security flaw leading to information leaks.
Discovered by Derek Abdine of Rapid7, the vulnerability "leaks personally identifiable and confidential information, including the username and password to the associated account, lists of stock symbols the user is interested, and HTTP cookies," according to the team.
Seeking Alpha describes itself as a "platform for investment research" and provides users with tools and content for investors to ferret out information on public stocks, investment opportunities and other securities.
The company's app, available on the Android and iOS mobile platform, caters for at least 2.4 million users.
The vulnerability has formed through Seeking Alpha's reliance on HTTP protocols, rather than the more secure HTTPS. Any information passing through the company's app and any associated web services are therefore transmitted in cleartext, making it trivial for attackers to intercept, view or modify this communication.
As an example, an attacker could take advantage of HTTP to view a user's stock ticker preferences, gaining valuable personal financial data about the target before using this information in targeted attacks such as spear phishing campaigns.
HTTP is also used for authentication sequences, making the matter worse. The user's full email address, password and HTTP session tokens are therefore transmitted in cleartext, as are other elements -- such as the fingerprintable User-Agent feature, which reveals the build version of the app and platform data.
As a result, this lax security practice is placing user data at serious risk. If an attacker eavesdrops on a session, they can take all of this information -- and may also be able to engineer a man-in-the-middle (MITM) attack in the right circumstances.
"Curiously, HTTPS requests to seekingalpha.com using a normal browser on a traditional PC or laptop are also redirected to HTTP services, rather than the reverse," the researchers say. "This includes the authentication sequence. This observation seems to indicate that the preference for HTTP over HTTPS would appear to permeate the engineering practices at Seeking Alpha."
Seeking Alpha is yet to provide a fix for the security flaw. Until then, Rapid7 recommends that users do not tap into the app when they are connected to public, untrusted networks. In addition, employing a virtual private network (VPN) should stop users being spied on.