Enterprise threat dubbed HospitalGown infests thousands of apps

Appthority, an enterprise mobile threat protection company, published research on a newly discovered backend data exposure vulnerability, dubbed HospitalGown, that highlights the connection between mobile apps and insecure backend databases containing enterprise data. Appthority documented more than 1,000 apps with this vulnerability, and researched in detail 39 applications with big data leaks, which exposed an estimated 280 million records. These records were accessible as a result of weakly secured backends and did not require authentication of any kind to access the data.

Data leakage, especially leaks of personally identifiable information (PII), significantly increase the risk of spear phishing, brute force login, social engineering, and data ransom attacks on enterprises with employees, partners or customers that currently or have ever used the compromised apps. Appthority has reached out to the mobile application developers, app stores, and hosting providers associated with the data leaks.

“HospitalGown poses a direct risk to enterprises, opening them to an easy breach, exfiltration of sensitive data, and the costs from remediation, lawsuits, compliance infractions and loss of brand trust,” said Seth Hardy, Appthority Director of Security Research. “No amount of on-device application security can make up for relaxed security where the application stores user data. A breach at the backend takes the magnitude of the threat from being focused on a handful of devices to a much broader exposure for an entire enterprise, which could result in big data leaks or ransom of sensitive data.”

The Appthority Mobile Threat Team (MTT) discovered HospitalGown using an innovative backend scanning technique, added as a new component to the company’s dynamic mobile app analysis. Using this technique, the MTT analyzed the network traffic of over a million enterprise mobile iOS and Android apps and led to the discovery of over 21,000 open Elasticsearch servers with unprotected data connected to apps frequently found on enterprise devices.

“The HospitalGown threat is both real for enterprises and significant,” said Ed Amoroso, CEO of TAG Cyber. “It underscores the need for the in depth and innovative mobile threat defense solution that Appthority provides.”

Key findings:

- Affected apps are connecting to unsecured data stores on popular enterprise services, such as Elasticsearch and MySQL, which are leaking large amounts of sensitive data

- Apps using just one of these services revealed almost 43TB of exposed data

- Multiple affected apps leaked some form of PII, including passwords, location, travel and payment details, corporate profile data (including employees’ VPN PINs, emails, phone numbers), and retail customer data

- In multiple cases, data has already been accessed by unauthorized individuals and ransomed

- Even apps that have been removed from devices and the app stores still pose an exposure risk due to the sensitive data that remains stored on unsecured servers