Rapid7 researchers: Flaw found in Seeking Alpha financial news app could leak info
Researchers at Rapid7 discovered a flaw in financial news platform Seeking Alpha’s mobile apps that could leak PII.
Researchers disclosed Tuesday that they had discovered a flaw in financial news platform Seeking Alpha's mobile applications that could leak information on users and which remained unpatched for two months after the company was notified, though it did release updates addressing the vulnerability yesterday.
The company's iPhone and Android apps are used primarily by retail investors to research and track stock information. The app "leaks personally identifiable and confidential information, including the username and password to the associated account, lists of user-selected stock ticker symbols and associated positions, and HTTP cookies," Rapid7 Security Research Manager Tod Beardsley wrote in a company blog post.
Rapid7 researchers contacted Seeking Alpha two months ago with their findings, according to the blog post. However, a Rapid7 spokesperson told SCMagazine.com in an email that the financial publisher did not respond and the vulnerability was not patched during that time period.
“Until Seeking Alpha provides a fix for the mobile application, users are strongly advised to not use the application while connected to untrusted networks,” Beardsley wrote. “The use of a VPN will also help alleviate the most likely risk of a nearby eavesdropper on a public network, but note that this would protect communication only as far as the VPN endpoint.”
The researcher noted that "an attacker in a privileged position on the target's network can intercept, view, and modify communications between the Seeking Alpha mobile application and its associated web services trivially, due to the reliance on HTTP cleartext communications, rather than HTTPS. HTTP is used for routine polling for stock ticker symbols the user has configured, which may reveal overly personal financial information about the user that could be used in a targeted attack."
Seeking Alpha originally did not respond to SCMagazine.com's initial requests for comment but after the original version of this article was published, CTO Asi Segal contacted SC via Twitter DM to say that the company submitted patches to the App Store and Google Play for review on Thursday, and the Android and iPhone app updates were subsequently released the same day. (See more details in the updates appearing at the end of this article.) Before that, Seeking Alpha's Android app had last been updated in late May. It is unclear how many users, if any, the flaw could have affected. But between 500,000 to one million users have installed the Android app, initially released in January 2013, according to data published by Google Play.
Apple does not publish the number of app downloads, so it is unknown how many iPhone users downloaded the app, which at press time had been last updated in late June.
The disclosure raises the issue of cybercriminals targeting sensitive stockholder information, an ongoing challenge for financial publishers. Last October, Dow Jones & Co. was reported to have been targeted by Russian hackers seeking embargoed market-moving information. Earlier, in August 2015, traders in Georgia and Pennsylvania were arrested for involvement in breaching computer servers of PRNewswire Association LLC, Marketwired and Business Wire.
UPDATE: Seeking Alpha CTO Asi Segal contacted SCMagazine.com and stated that a patch was submitted to the App Store and Google Play for review on Thursday, and the Android and iPhone app updates were subsequently released the same day.
CORRECTION: This story has been revised to clarify that there is no evidence that user data has been leaked. Seeking Alpha CEO Eli Hoffman told SCMagazine.com in an email correspondence that to date, to the company's knowledge, "not a single instance of actual leakage has occurred."