Forbes reported that researchers in Hong Kong have discovered a vulnerability in 41 percent of the 600 most popular U.S. and Chinese Android apps, leaving 1 billion accounts at risk.
The researchers found issues involving OAuth 2.0, a standard that allows sign-ons using Facebook and Google as verification of identity without having to provide usernames and passwords. Some app developers, particularly small, third-party operations, missed key components to user ID authentication, leaving a whole host of apps vulnerable to hackers.
Hackers are able to log in with their info on vulnerable apps and later switch it out with the username of a target. These flaws can be exploited on a person’s phone without them knowing.
The implications of such a hack are stark. Data synced from Android users’ contact lists could allow hackers to gain access to additional phones. Calendar, travel itinerary information and location data could be used to stalk. Hackers could gain access to photos and financial information, depending on what access users had previously granted their apps.
There have been an estimated 2.4 billion downloads of apps vulnerable to OAuth hacks, and about half of those consumers opt in for OAuth logins. The researchers did not directly name the vulnerable apps, though they did say that the same apps running on iOS are potentially just as unsecured.