Smartphone apps from Walmart, CNN, ESPN, and dozens of other organizations put user accounts at risk of compromise because they allow attackers to make an unlimited number of login attempts, according to recently published research.
Security experts have long recognized the benefit of limiting the number of unsuccessful login attempts that users can make to online accounts. While such limits make it possible for attackers to lock out legitimate users, such denial-of-service drawbacks are generally outweighed by the protection they provide against online password cracking attempts, in which attackers make huge numbers of password guesses against specific user accounts in the hopes of trying the right one. Until last September, Apple's iCloud service failed to limit the number of login attempts to that service, a shortcoming that may have contributed to last year's mass celebrity hack and nude photo thefts.
Despite Apple mending its ways, many smartphone apps still allow users to make an unlimited number of login attempts. That failure allows attackers to cycle through long lists of the most commonly used passwords. Given the difficulty of entering strong passwords on smartphone keyboards, it's a likely bet that it wouldn't be hard to compromise a statistically significant number of accounts over a period of weeks.