Five Programming Languages That Carry Hidden Exploitable Flaws Exposing Apps to Attacks


Is it always the bad coders who introduce security issues or can it be the programming languages too that expose apps to attack? According to one researcher even the languages have inherent flaws that put applications parsed by them at security risk.

IOActive researcher, Fernando Arnaboldi, says that apps "may be susceptible to unpredictable security issues when using certain features from programming languages." He has focused on top five interpreted programming languages in his research, including JavaScript, Perl, PHP, Python, and Ruby.

How Thousands of iOS and Android Apps Are Collectively Leaking Data of Millions of Users

There are a number of possibilities to be abused in different implementations that could affect secure applications. There are unexpected scenarios for the interpreted programming languages parsing the code in Javascript, Perl, PHP, Python and Ruby.

This means that even if an application has been securely developed, it may still carry unidentified vulnerabilities in the underlying programming languages. Since many of these are well known flaws, attackers can potentially target these flaws (in the programming language) to modify app's behavior or target their users.

"This means applications are only as secure as the programming languages parsing the code."

In Ruby, for example, the open() function is typically used to request URLs with the open-uri library. However, it can also be used to execute operating system commands remotely with weak input validation and a pipe.

In Python's example, Arnaboldi said the programming language has "undocumented methods and local environment variables that can be used for OS command execution." In PHP, certain functions can be passed a constant's name to execute remote commands; NodeJS could leak file contents through error messages it outputs, and so on.

"The vulnerabilities ultimately impact regular applications parsed by the affected interpreters; however, the fixes should be applied to the interpreters," Arnaboldi said. "Software developers may unknowingly include code in an application that can be used in a way that the designer did not foresee," he added. "Some of these behaviors pose a security risk to applications that were securely developed according to guidelines."