| Recurring |
one_organization, multiple_organization |
(a) The software failure incident related to hard-coded authentication credentials in mobile apps has happened again at one_organization. The incident involved several mainstream iOS banking apps all using the same third-party AI digital identity software development kit that exposed cloud credentials of the shared service, leading to the exposure of biometric fingerprint files from users of the banking apps [131358].
(b) The software failure incident related to hard-coded authentication credentials in mobile apps has also happened at multiple_organization. For example, a large hospitality and entertainment company working with a technology company on sports betting apps had hard-coded credentials that gave infrastructure access to 16 online gambling apps, exposing their cloud services and granting root access to take control of the backend platform [131358]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase can be seen in the article. The incident was caused by insecure development practices, specifically the presence of hard-coded authentication credentials in mobile app cloud infrastructure. These credentials, meant to provide access to specific files or services, ended up granting access to all files stored in the cloud service, including sensitive data, database backups, and system control components. This flaw in the design of the apps allowed attackers to potentially unlock massive amounts of sensitive data by exploiting a single key under one doormat [131358].
(b) The software failure incident related to the operation phase is evident in the article as well. The incident was exacerbated by the operation of the system, particularly the misuse of hard-coded access keys in mobile apps. The use of static authentication tokens that were not properly secured led to the exposure of private cloud services, private files, and even infrastructure access to multiple, unconnected apps. This misuse of credentials in the operation of the apps resulted in a significant security risk and potential data breaches [131358]. |
| Boundary (Internal/External) |
within_system |
(a) within_system: The software failure incident discussed in the article is primarily within the system. It is related to the prevalence of hard-coded authentication credentials in mobile app cloud infrastructure, leading to the exposure of sensitive data and potential security breaches [131358]. The issue stems from insecure development practices, shared resources, and the use of static authentication tokens that grant access to a wide range of data within the cloud services underlying various mainstream apps. The incident highlights the systemic oversight and lack of proper security measures within the system itself, emphasizing the need for better practices such as using temporary credentials and siloing information to prevent such failures. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in the articles is primarily related to non-human actions. The incident was caused by hard-coded authentication credentials present in the cloud services underlying hundreds of mainstream mobile apps. These credentials, meant to provide access to specific files or services, ended up granting access to all files stored in the cloud service, including sensitive data, database backups, and system control components. This systemic oversight led to a significant risk of data leakage and compromise without direct human involvement [131358].
(b) However, human actions also played a role in this software failure incident. The use of hard-coded access keys by developers, instead of implementing temporary credentials that expire after a short period, contributed to the exposure of sensitive data. The lack of awareness about secure development practices and the sharing of resources without proper segmentation were highlighted as human factors leading to the incident. The need for a complete audit of software components and greater awareness about information siloing were emphasized as measures to prevent such incidents in the future [131358]. |
| Dimension (Hardware/Software) |
software |
(a) The articles do not mention any software failure incident occurring due to contributing factors that originate in hardware.
(b) The software failure incident mentioned in the articles is related to software itself. Specifically, the incident involves the prevalence of hard-coded authentication credentials in mobile app cloud infrastructure, leading to the exposure of sensitive data and potential compromise of user information [131358]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident discussed in the article is related to malicious intent. The incident involved the discovery of hard-coded authentication credentials in mobile app cloud infrastructure, which could potentially grant attackers access to sensitive data across multiple apps [131358]. The presence of these hard-coded credentials was not accidental but rather a result of insecure development practices or ignorance about the risks involved in exposing such credentials. The incident highlights the significant risk posed by malicious actors who could exploit these vulnerabilities to access private cloud services, files, and user data [131358]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The intent of the software failure incident related to poor decisions can be seen in the article [131358]. The incident involved the prevalence of hard-coded authentication credentials in mobile app cloud infrastructure, leading to a significant security risk. These hard-coded credentials, meant to provide access to specific files or services, often ended up granting access to all files stored in a cloud service, including sensitive data like company information, database backups, and system control components. This practice of implementing hard-coded access keys was highlighted as not being secure, with the recommendation for using temporary credentials that expire after a short period of time. The incident reflects poor decisions in terms of security practices and the lack of proper data segmentation and protection measures. |
| Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The software failure incident related to development incompetence is evident in the article as it discusses the prevalence of hard-coded authentication credentials in mobile app cloud infrastructure. The article highlights how these hardcoded credentials, meant for specific functions, often end up granting access to sensitive data and infrastructure components across multiple apps due to a lack of proper security measures and segmentation. This oversight can be attributed to development incompetence or ignorance regarding the potential risks associated with exposing such credentials [131358].
(b) The software failure incident related to accidental factors is also present in the article. The researchers discovered that numerous mainstream iOS banking apps were unknowingly using a third-party AI digital identity software development kit that exposed cloud credentials of the shared service, leading to the leakage of biometric fingerprint files from users. This accidental exposure of sensitive data can be considered a failure resulting from accidental factors rather than intentional actions [131358]. |
| Duration |
temporary |
The software failure incident described in the article is more aligned with a temporary failure rather than a permanent one. The incident was caused by specific circumstances such as the presence of hard-coded authentication credentials in mobile app cloud infrastructure, leading to the exposure of sensitive data and potential security breaches [131358]. The article highlights the systemic issue of hard-coded access keys in various apps, emphasizing the need for better security practices and awareness among developers to prevent such incidents in the future. |
| Behaviour |
value, other |
(a) crash: The articles do not specifically mention any software failures due to crashes where the system loses state and does not perform any of its intended functions.
(b) omission: The software failure incident described in the articles does not involve the system omitting to perform its intended functions at an instance(s).
(c) timing: The incident does not relate to a failure due to the system performing its intended functions correctly but too late or too early.
(d) value: The software failure incident is related to a failure due to the system performing its intended functions incorrectly. Specifically, the incident involves the exposure of hard-coded authentication credentials in mobile app cloud infrastructure, leading to unauthorized access to sensitive data [131358].
(e) byzantine: The incident does not involve the system behaving erroneously with inconsistent responses and interactions.
(f) other: The behavior of the software failure incident described in the articles can be categorized as a security vulnerability resulting from the improper handling of authentication credentials in mobile app cloud infrastructure, leading to potential data leaks and compromises. |