Plaid’s Gaping Security Hole

June 11, 2019 Posted by Uncategorized 0 thoughts on “Plaid’s Gaping Security Hole”

A Hacker News user recently dug up security issue concerns pertaining to the Plaid application, issues that have been recently deleted by Plaid. According to one of Plaid’s co-founders, the deletion of security concerns dating back to 2016 had nothing to do with a cover up. In a Hacker News comment he said, “We’re in the process of migrating this repository and replacing it with a dedicated iOS SDK repo, JS SDK, and (soon to be) Android SDK. However, I messed up the order of operations with this migration and can empathize with the reaction. I personally chatted with a lot of the [commentators] on the original issue before we did this and more than happy to engage/get feedback from anyone else over email/phone/in-person.”

Though his comment clears up any charge of duplicity, there is still the fact that Plaid is insecure. What is Plaid? Plaid is a payment processing platform that connects applications to banks by providing an API that streamlines transactions. The problem isn’t with any  vulnerabilities per se–those can be patched. The security hole is in the design of Plaid Link UI. Plaid mimics your bank’s UI in an attempt to make you feel comfortable entering your bank credentials; the same tactic that malicious users employ to get you to enter sensitive information. The problem here is that this design choice exposes users to phishing attacks.

Non-technically speaking, a phishing attack is a scam that often comes in the form of a link. What makes these attacks nefarious is that the link seems to take you to a legitimate source, like Facebook or Paypal. What you’re actually on is a clone.

Technically, what happened is that the DNS server got changed on the router so that requests got redirected, sending you to a  private DNS server whose MX records are altered. MX records are like name tags that help identify computers. Protocol with these cloned sites are usually http, which can tip you off if you have a wary eye.

In the case of Plaid, applications that use their service will most likely be mobile apps, where average users may not be able to verify whether or not they’re typing their sensitive information into an authenticated service. One GitHub user mentioned checking the HTML source as the only real viable option for validating authentication for the UI. Try telling your non-tech savvy friend to start checking source code.

A UX decision shouldn’t simply be employed because users love it. Rather, a user should be protected from what they do not know. Security should be baked into any decision about UI, even if that security measure appears to impact usability. Though, that fear may just be a myth. UX designer Krisztina Szerovay wrote in a blog post, when referring to UX and security, “It’s a false assumption that being secure means being less usable. If something is usable and less confusing, it’s likely to be more secure. If something is secure, it’s more reliable, so it increases usability.”

We continuously see applications announcing security breaches. Facebook has had to stand in the court of public opinion in the aftermath of their security/privacy scandals. Their gaffs lead some users to forgo their Facebook accounts. To those people, Facebook became unusable. Vulnerabilities are understandable, but blatant malpractice is unforgivable.

Plaid doesn’t handle the keys to likes and dislikes–they handle the keys to life savings and are therefore responsible for designing their service with security in mind.




Please follow and like us: