Security Holes In App Stores: Latest In NSA Spying Saga

New reports on the leaked NSA documents claim the agency exploited security flaws in mobile app stores instead of publicizing the vulnerabilities.


Yet another NSA program detailed in documents leaked by Edward Snowden is making headlines today. The NSA, along with spy agencies from several other countries, reportedly developed a plan to exploit weaknesses in several app stores to collect data on suspected terrorists.

New documents published by CBC and The Intercept Wednesday detail a program dubbed "Irritant Horn," a combined effort from the U.S., Canada, U.K., New Zealand and Australia. The program targeted vulnerabilities in UC Browser, an incredibly popular app in China and India run by e-commerce giant Alibaba. It also sought ways to access information through Google and Samsung's servers. 

It doesn't appear the companies were informed of the weaknesses, which left open the possibility for hackers and criminals to exploit the same vulnerabilities, as well as other government agencies. 

It appears the program began after vulnerabilities in UC Browser were discovered in 2011. The documents detail what's called a "man-in-the-middle" attack to collect data and even plant spyware on some smartphones. It's a method sometimes used by hackers to commit fraud.

The NSA has been accused of letting security vulnerabilities go unchecked in the past.

Bloomberg published a report last year that accused the agency of knowing about the infamous "Heartbleed" security vulnerability for two years and exploiting it.

For its part, the government denied that report, and the director of National Intelligence later released a statement saying, when a weakness is discovered, "it is in the national interest to responsibly disclose the vulnerability." But it did include the caveat "unless there is a clear national security or law enforcement need."

A source from Alibaba told CBC the company was never contacted by any of the agencies involved about UC Browser's vulnerability and said it wasn't aware any user data had been leaked.

This video includes images from Getty Images.