By clicking one of our links you're supporting our labs and our independence, as we may earn a small share of revenue. Recommendations are separate from any business incentives.
Maybe this sounds familiar: You go to log in to some app or service you haven't used in a while, but you've forgotten your password. You try a few from memory, but after three tries the service blocks you and informs you that you'll have to wait x minutes before trying again.
Frustrating, right? Certainly. But this simple security measure is a critical roadblock against hackers, who can use specialized software to repeatedly guess at your password—often trying hundreds or thousands of possibilities. It's called a "password brute force attack," and that annoying failsafe is essentially the only thing keeping a hacker from hijacking your account.
However, dozens of hugely popular iOS and Android apps currently lack protection against brute-force attacks. According to a report published this week by digital security firm AppBugs, these apps have been collectively downloaded up to 600 million times. It's a scary finding, particularly since the vulnerability is on the server side—it doesn't matter how complicated your password is, since the enemy can systematically check all possible combinations.
Included among the vulnerable apps are: CNN, ESPN, Slack, Expedia, SoundCloud, Walmart, iHeartRadio, AutoCAD, and Kobo. Fortunately, none of these services is likely to house your financial data, but the report is still indicative of a pervasive problem.
If you use any of these apps and (for whatever reason) are worried about the data stored within, it might be a good idea to hold off on using them until their security holes are filled. Even better, ask the developers to take action.