Web Applications Suffer From High-Severity Vulnerabilities

This is in response to the following article: https://securityintelligence.com/news/94-percent-of-web-applications-suffer-from-high-severity-vulnerabilities/

“Ninety-four percent of all web applications suffer from high-severity software vulnerabilities, a new report revealed”

We agree that being proactive, and implementing security measures is key to protecting web applications and is so vital. We wanted to share what we have done to protect the communication between a company’s API and their applications.

DTRelay is patent-pending middleware that provides authentication without exposing client-side tokens where hacking occurs. DTRelay enhances the security of web and mobile apps while simultaneously making them easier to build. It was created for web and mobile applications to run efficiently on Content Delivery Networks (CDN), and during the engineering process we solved other security risks.

DTRelay establishes a shared-secret between the client and server, and gives you secure tokens in JavaScript-Based Apps. DTRelay makes Mobile and Web Apps safer, plus it will save you time and money.

We also have a technology called DT Framework that automates software development which reduces development time by 75% to 85% by being able to build re-usable components that are powerful. It allows developers to build apps smarter, better, faster, more secure.

DT Framework can be used to write shorter, more modular, more secure code for a wide variety of systems. Click here to see how to build an app using DT Framework.

DT Framework includes a full-featured Model-View-Controller (MVC) framework that takes an API-centered approach to web and mobile application development.

Unique features include:

  • Less development cost: Build pure-static, OAuth-based apps in minutes
  • Better performance: Multiple levels of customization give granular optimization
  • Scalability: Modular, object-oriented design allows for linear complexity at any scale
  • Ease of use: Schema management with automatic reversibility and conversion
  • Complex datatypes: DTModel’s manifests connect deep hierarchies during ingest and request

More than an MVC:

  • Manage your own content/schema in DTCMS
  • Manage your local or cloud deployments
  • Migrate data from any source to any destination

How DTRelay Fixes Known Security Vulnerabilities In OAuth Protocols

OAuth isn’t perfect when it comes to App Security, but most developers still use it…

Normally during a request, the OAuth token is available in the request, and the only thing that keeps it protected is the SSL. But If you can get past the SSL, then you have access to the token.

We make OAuth apps safer. Using DTRelay, we fix vulnerabilities in the widely used OAuth protocols by never sharing keys, tokens, or other sensitive data with client applications. DTRelay works even when HTTPS is compromised. OAuth tokens are stored in DTRelay and never sent to the client application, therefore, DTRelay can be used as a security layer on top of OAuth to prevent the exposure of the access token during requests.

DTRelay also enables secure scaling over a Content Delivery Network (CDN) while enhancing the speed, security, and scalability of mobile apps and extensions.

Read About Using DTRelay to Build Pure-Static Apps.

All of the problems listed below are easily fixed by DTRelay.

By eliminating the need for client-side tokens and substantially improving the reliability of OAuth transactions, DTRelay can dramatically enhance the security of mobile and web applications, particularly for high-value or VIP users. A unique process called Delegates provides strong authentication while greatly simplifying access to any number of APIs.

Healthcare Apps and HIPAA Vulnerabilities

HIPAA, the Health Insurance Portability and Accountability Act, carries stiff federal penalties for persons or organizations exposing personal health information. In July, 2016, Oregon Health & Science University paid $2.7 million to the U.S. Department of Health and Human Services for “widespread and diverse problems at OHSU.” (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ohsu/index.html). The federal requirements outlined in 45 CFR Part 164 (https://www.law.cornell.edu/cfr/text/45/part-164) detail the requirements for organizational, hardware, and application security…

…But app security is not network security.

Nothing prevents healthcare application developers from using OAuth protocols. In fact, OAuth is heavily used. Motivated hackers can target high-profile individuals using pervasive OAuth protocols over public WIFI to obtain user tokens, which they can then use to gain access to even the most heavily protected servers. DTRelay obfuscates the identifier, and can hide the data being transmitted.

Click here to see examples of DTRelay in action.

Uber’s Vulnerabilities

Early in 2017, Appthority reported numerous security concerns regarding Uber’s mobile apps (http://info.appthority.com/-q1-2017-mtr-download-uber-security-risks). Although Uber claims to have addressed many of these concerns, the fact remains that Uber’s app continues to depend on OAuth and HTTPS, which have known vulnerabilities. Worse, Appthority reported that 15 third-party apps accessing Uber’s API use hardcoded authentication tokens. These can be used by hackers to spoof an authorized client and potentially misuse Uber’s data. By eliminating the need for client-side tokens and substantially improving the reliability of OAuth transactions.

Google’s Vulnerabilities

Google Play and Chrome continue to be plagued by malware and security vulnerabilities. Symantec, Microsoft, Check Point, PhishLabs, and others continue to report problems despite Google’s efforts to protect their assets (http://www.eweek.com/security/google-s-industry-rivals-report-security-issues-on-play-store-chrome). CVE has reported 2,952 vulnerabilities in 60 Google products since 2002 (http://www.cvedetails.com/vendor/1224/Google.html). Over 20 percent of these involve the most egregious categories of access to privileges and access to information. By eliminating the need for client-side tokens and substantially improving the reliability of OAuth transactions, DTRelay can dramatically enhance the security of mobile and web applications, particularly for high-value or VIP users.

Twitter’s Vulnerabilities

In September, 2017, CVE reported (https://www.cvedetails.com/vulnerability-list/vendor_id-14415/Twitter.html) the second of two recent major vulnerabilities in Twitter’s iOS and Android mobile apps which allow man-in-the-middle attackers to obtain OAuth tokens, spoof servers, and obtain sensitive data from Twitter servers. Earlier in 2017, Twitter fixed a bug that allowed hackers to tweet from any account (https://motherboard.vice.com/en_us/article/nejmpd/twitter-bug-allowed-hackers-to-tweet-from-any-account). India Times recently reported vulnerabilities in Twitter’s Studio app that enabled attackers to tweet from other accounts, upload videos on behalf of user, and view private media (https://www.indiatimes.com/technology/news/twitter-exploit-allowed-anyone-to-tweet-from-any-account-without-having-to-know-the-password-323324.html). Twitter is one of the few companies still using the older OAuth1 method to authenticate users. By eliminating the need for consumer tokens and substantially improving the reliability of both OAuth1 and OAuth2 transactions, DTRelay can dramatically enhance the security of Twitter mobile and web applications, particularly for high-value or VIP users. DT Relay’s use of protected parameters also prevents owner_id vulnerabilities.

LinkedIn’s Vulnerabilities

In June, 2017, Check Point researchers disclosed four major vulnerabilities in LinkedIn’s messaging service that could allow hackers to attach malware, infecting or even taking control of the machines of LinkedIn’s 500 million users (https://www.tripwire.com/state-of-security/featured/linkedin-messenger-flaws-enabled-attackers-spread-malicious-files/). Additional vulnerabilities persist from LinkedIn’s use of OAuth and HTTPS. By eliminating the need for client-side tokens and substantially improving the reliability of OAuth transactions, DTRelay can dramatically enhance the security of mobile and web applications, particularly for high-value or VIP users. DTRelay offers sound solutions to these persist threats to LinkedIn’s very large user base. This is even more important given the VIP status of many of its clients.

 

Amazon’s Vulnerabilities

Amazon has had 11 significant security vulnerabilities reported by CVE since 2010, including two maximum impact (10.0) flaws in Amazon’s Kindle and Fire services (https://www.cvedetails.com/vulnerability-list/vendor_id-12126/Amazon.html). Many of these vulnerabilities allow man-in-the-middle attackers to spoof servers and obtain sensitive information. In 2016, Rhino Security Labs reported vulnerabilities in Amazon’s AWS cloud hosting services (https://rhinosecuritylabs.com/penetration-testing/aws-security-vulnerabilities-and-the-attackers-perspective/). They described how misconfiguration of AWS implementation could give hackers access to sensitive data. More concerning, they describe in detail how sloppy use of the Amazon Metadata Service can hand hackers AccessKeyID, SecretAccessKey, and Token to potentially authenticate with root access, handing them the “keys to the Amazon kingdom.” Such AWS vulnerabilities led to the demise of a company in 2014, despite a “proven backup plan.” (https://arstechnica.com/information-technology/2014/06/aws-console-breach-leads-to-demise-of-service-with-proven-backup-plan/) By eliminating the need for consumer tokens and substantially improving the reliability of both OAuth transactions, DTRelay can dramatically enhance the security of mobile and web applications, particularly for high-value or VIP users. DTRelay’s use of protected parameters also prevents owner_id vulnerabilities.

 

Yahoo’s Vulnerabilities

Yahoo had three billion user accounts compromised in 2013, a 2016 disclosure that has been widely publicized (http://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html). In 2014, hackers compromised 500 million accounts. CVE has documented 65 vulnerabilities across 14 Yahoo products, dating back to 1999 (http://www.cvedetails.com/vendor/290/Yahoo.html). By depending on algorithms to obfuscate protected information, YQL secure storage is vulnerable to Cross-Site Request Forgery (CSRF) attacks. DTRelay provides an alternative security strategy that is not prone to this type of attack. DTRelay can dramatically enhance the security of mobile and web applications, particularly for high-value or VIP users. DTRelay’s use of protected parameters also prevents owner_id vulnerabilities.

 

Microsoft’s Vulnerabilities

CVE has documented 5,330 security vulnerabilities in 456 Microsoft products since 1999, 598 of these in 2017 alone (https://www.cvedetails.com/vendor/26/Microsoft.html). Over 20 percent of these involve the most egregious categories of access to privileges and access to information. The rate of increase took a dramatic turn for the worse in 2012, with 2017 numbers up almost 400% from then. In July of 2017, Microsoft had to patch 54 vulnerabilities in Windows, Edge, Internet Explorer, Office and Exchange (https://threatpost.com/microsoft-patch-tuesday-update-fixes-19-critical-vulnerabilities/126758/). 19 of these were considered critical vulnerabilities, enabling hackers to do remote code execution, take control of systems, corrupt memory, and exploit vulnerabilities in the JavaScript execution engine itself. By eliminating the need for consumer tokens and substantially improving the reliability of OAuth transactions, DTRelay can dramatically enhance the security of mobile and web applications, particularly for high-value or VIP users.

 

Single-Factor Authentication Vulnerabilities

Lyft uses a single-factor authentication that depends only on a user’s phone number, a strategy that has resulted in unauthorized charges to users’ credit cards (https://www.csoonline.com/article/3134859/security/lyft-customers-face-potential-hack-from-recycled-phone-numbers.html). Hackers can target high-profile individuals using pervasive OAuth protocols over public WIFI to obtain user tokens, which they can then use to gain access to even the most heavily protected servers. Such access, in skilled hands, could threaten other Lyft customers as well.
If your business depends on the security of your clients, let us show you your vulnerabilities and how DTRelay can help.