IOActive Discloses More Vulnerabilities in Popular Stock Trading Applications at Black Hat USA 2018

IOActive Discloses More Vulnerabilities in Popular Stock Trading Applications at Black Hat USA 2018
08.08.2018 10:57 am

IOActive Discloses More Vulnerabilities in Popular Stock Trading Applications at Black Hat USA 2018

Trading Systems

 IOActive, Inc., the worldwide leader in research-driven security services, today announced new vulnerabilities the research team has discovered in mobile, desktop and web stock trading applications. IOActive Senior Security Consultant, Alejandro Hernandez, will be presenting his vulnerability findings at Black Hat Las Vegas on Thursday, August 9th at 11am PT in his talk, “Are You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies.”

His research expands upon his original 2017 research on mobile trading applications. At Black Hat, Hernandez will discuss how he tested several stock trading and cryptocurrency trading technologies including 16 desktop applications, 30 websites, and 34 mobile applications and discovered major vulnerabilities that can allow malicious actors to gain access to a user’s personal banking information through desktop and web applications, steal money and gain insights into net worth and investment strategies.

Hernandez commented, “I published my original research nearly a year ago, and it’s deeply concerning that some of the same vulnerabilities have still not been fixed.”

Similar to his research last year, Hernandez found that the usernames and passwords can easily be stolen from stock trading networks. This year, he found many vulnerabilities including unencrypted authentication, communications, passwords and trading data, and remote Denial of Service (DoS) that can leave applications useless. In addition, he found issues with weak password policies, hardcoded secrets and poor session management.

“Imagine a stock trader in a coffee shop, using public Wi-Fi. An attacker would be able to easily perform a man-in-the-middle attack and identify or modify the network traffic that is unencrypted,” says Hernandez. “For example, the attacker could see the username and password of the trader’s account and later login through a web browser, link his or her bank account, sell the stocks at market price to liquidate the investments, transfer the money, remove the added bank account and log out.”

“Alejandro’s continued research and discovery of major flaws in stock trading technologies will hopefully be a wakeup call to the financial industry,” said Jennifer Steffens, CEO of IOActive. “They need to implement the strong security controls they already have in place for banking applications and follow industry best practices to properly develop mobile, desktop and web applications, and continuously scan them for vulnerabilities.”

All of the vendors impacted by these stock trading vulnerabilities have been notified. IOActive cannot confirm whether or not they are fixed at this point in time.

Related News

Lendingblock partners with Vo1t to offer digital asset custody

Lendingblock, the securities lending exchange for digital assets, today announces that it has partnered with digital assets custodian Vo1t to provide a military-grade cold... Read more »

Fintech startup Sharegain rolls-out first Securities Lending Platform, following $12m investment

Fintech startup Sharegain, whose securities lending platform allows any investor to generate revenue through loaning out their financial assets, has raised a total of $12m (... Read more »

OpenFin wins ‘Best use of the Agile methodology by a technology vendor’ at the 2018 Buy-Side Technology Awards

OpenFin won the award for ‘Best use of the Agile methodology by a technology vendor’ at the... Read more »

CGTrader offers integration of its technology with e-commerce giant Shopify to create an innovative shopping experience

CGTrader, one of the world's leading 3D model marketplaces, offers integration of its technology with the Canadian e-commerce giant Shopify. As part of the integration,... Read more »

IronFX and IronX Welcome PumaPay Token to Their Trading Platforms

IronFX, the global leader in online trading, announces that it will add the PumaPay Token (PMA) as a funding method as well as a base currency on its trading platform, hence... Read more »

ISXPay®: deposit taking via own BIC: ISEMCY22XXX

  1. iSignthis Ltd subsidiary, iSignthis eMoney Ltd, trading as ISXPay® (“the Company”), is pleased to announce that testing of its deposit taking facilities and... Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App