Researchers discovered that financial news platform Seeking Alpha's mobile applications were leaking PII and confidential information of more than 500,000 users.
The company's iPhone and Android apps, used primarily by retail investors to research and track stock information, leaked users' login credentials, HTTP cookies, and stock positions.
The flaw was disclosed by Rapid7 researchers after the security firm contacted Seeking Alpha two months ago, however, Rapid7 stated in an email to SCMagazine.com that the financial publisher has not yet responded to the researchers and the vulnerability has not been patched.
“Until Seeking Alpha provides a fix for the mobile application, users are strongly advised to not use the application while connected to untrusted networks,” Rapid7 security research manager Tod Beardsley wrote in a company blog post. “The use of a VPN will also help alleviate the most likely risk of a nearby eavesdropper on a public network, but note that this would protect communication only as far as the VPN endpoint.”
Seeking Alpha did not respond to SCMagazine's requests for comment. Seeking Alpha's Android app was last updated in late May. Between 500,000 to 1 million users have installed the Android app, initially released in January 2013, according to data published by Google Play.
Apple does not publish the number of app downloads, so it is unknown how many iPhone users are affected. The iPhone app was last updated in late June.
The disclosure raises the issue of cybercriminals targeting sensitive stockholder information, an ongoing challenge for financial publishers. Last October, Dow Jones & Co. was reported to have been targeted by Russian hackers seeking embargoed market-moving information. Earlier, in August 2015, traders in Georgia and Pennsylvania were arrested for involvement in breaching computer servers of PRNewswire Association LLC, Marketwired and Business Wire.