Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Enterprises Warned About Risky Connected Third-Party Apps

More than a quarter of the third-party apps used in enterprises are risky, and one of the most problematic are connected cloud applications, according to cloud security company CloudLock.

More than a quarter of the third-party apps used in enterprises are risky, and one of the most problematic are connected cloud applications, according to cloud security company CloudLock.

CloudLock CyberLab’s Cloud Cybersecurity Report for the second quarter of 2016, which is based on the analysis of over 150,000 unique apps and 10 million users, shows that the use of third-party apps has increased 30 times over the past two years.

The security firm pointed out that organizations must not neglect a very important aspect when addressing the issue of “shadow IT,” the term used to describe applications and systems used by employees without approval from IT security teams. One technology that can introduce serious risks is OAuth, an authentication protocol that allows users to approve apps to act on their behalf without sharing their password.

The problem, according to experts, is that OAuth-connected applications can have extensive access to corporate data. These types of apps can request permission to view, delete, transfer and store corporate data when enabled using corporate credentials, which is why it’s important that organizations identify these applications, particularly those that pose the highest risk.

“On a daily basis, employees are utilizing apps without notifying IT, and authorizing OAuth connections through their corporate credentials. If these apps are malicious by design, or the connected application’s vendor is compromised, this opens the door to cybercriminals deleting accounts, externalizing or transferring information, provisioning or deprovisioning users, changing users’ passwords, modifying administrator’s settings, performing email log searches, and more,” CloudLock said in its report.

Across all the industries monitored by CloudLock, on average, a total of 733 third-party apps are connected to the corporate environment in each organization, with the higher education, technology and media sectors at the top of the chart.

Of the 156,000 third-party apps that have been granted access to corporate systems this year, security teams classified 27 percent as “high risk.” Experts noted that the percentage of high risk apps connected to corporate systems is roughly the same all around the world.

The list of top 10 risky apps includes various games, music players, the Goobric Web App, and the Pingboard employee directory software. The most risky application is the mobile strategy game Clash Royale. While these apps are not necessarily risky by nature, they can represent a serious problem if they are compromised – mainly due to their extensive access to corporate environments and the high number of privileged users.

In the enterprises analyzed by CloudLock, more than half of third-party applications have been banned due to security concerns. The top 10 banned apps are WhatsApp, Zoho Accounts, SoundCloud, Sunrise Calendar, Power Tools, Pinterest, Free Rider HD, Airbnb, Madden NFL Mobile and CodeCombat.

Related: Broadly Shared Files a High Risk for Enterprise Data

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

Application security startup ArmorCode today announced that it has received $8 million in additional seed funding, which brings the total raised by the company...