Hacking apps for data analysis may lead to discovery of the hard-coded API key for an external service. The affected version of the app is 3.0.47 to 3.1.2. Users with earlier versions of the app may still be vulnerable to this issue. Unauthorized access to the data stored in the app may reveal sensitive information, such as the hard-coded API key for an external service. By analyzing the data, it is possible to determine the hard-coded API key for an external service.

Hulu is responsible for fixing this issue. However, users of the app may wish to take precautionary steps to protect their data against data analysis.

How to check if your app is affected by Hard-coded API Key

To check if your app is affected by this issue, follow these steps:

1. Open the Hulu app and navigate to "More" (the hamburger icon on the bottom left).
2. Scroll down to "Privacy Policy Agreement."
3. Tap on the "I agree" button in the pop-up window, then tap on "About Hulu" at the top of the screen.
4. Scroll down to "App Permissions."
5. Look for "Access external account info (hard-coded API key)." If that permission is granted, your app may be vulnerable to this issue, but you can also check in Settings> Privacy & Security> App permissions> Other apps> Hard-coded API key access

Protect your data against data analysis

According to a report by
the Federal Trade Commission, there is a potential risk that hackers may discover the hard-coded API key for an external service. The affected version of the app is 3.0.47 to 3.1.2. Users with earlier versions of the app may still be vulnerable to this issue. Unauthorized access to the data stored in the app may reveal sensitive information, such as the hard-coded API key for an external service. By analyzing the data, it is possible to determine the hard-coded API key for an external service and use that information to hack into other apps or accounts in order to trace back your activity and discover your personal identity or sensitive personal information.

How Does the Hack Work?

Hulu apps use the SDK service provided by Hulu to access external services. In some cases, this service may be hard-coded as an API key. When using the SDK service, if a user enters a wrong API key for an external service into the app, the data stored in the app will be sent to that external service without authorization. For example, if a user entered “api-key” instead of “api-key1” into their Hulu account settings, the data from their Hulu account would be sent to “api-key” without authorization. It is possible for third-parties to analyze this data and determine what APIs have been used by analyzing which APIs were accessed with incorrect keys.

Hulu users should make sure they are only accessing legitimate APIs and not using any hard-coded API keys on modified versions of their apps until this issue is fixed.

Timeline

Published on: 08/16/2022 08:15:00 UTC
Last modified on: 08/17/2022 19:31:00 UTC

References