Some of the world's most popular apps permit unlimited brute force password guessing attempts.
The 53 exposed Android and Apple apps, collectively downloaded more than 600 million times, include SoundCloud, ESPN, CNN, Expedia, and Walmart.
So far of the 15 apps named a dozen have failed to fix the server-side flaws after being given 30 days to act ahead of disclosure. The remaining apps will be named 30 July.
Developers for the popular apps Wunderlist, Dictionary, and Pocket implemented rate-limiting fixes to prevent multiple brute-force sign-in attempts after being informed of the vulnerabilities.
AppBugs researchers citing recent work (PDF) say attackers could take between 30 minutes to a month to break into most accounts.
"Password brute force vulnerability in a web service allows an attacker to make unlimited login attempts to the web service in order to guess the correct password of a victim user," the researchers say.
"Assuming the attacker makes login attempts to the vulnerable service 30 times per minute, it takes him half hour to 24 days to guess a password, depending on the strength of the target password.
"Attackers have no problem launching the attacks from multiple IP addresses on multiple user accounts in parallel and often can make guesses more than 30 times per minute. If today the attacker launches such attack against most user accounts in parallel, he will be able to get most user passwords within 24 days."
None of the tested apps feature two-factor authentication which could mitigate the risk of password brute forcing.
Researchers say users can do little to combat the vulnerabilities short of disabling accounts which they recommend where possible.
Required accounts should be protected using strong unique passwords sporting more than 20 characters which would be considered a "temporary" mitigation
Failure to prevent brute-force password guessing is a common and rather dangerous security flaw as it subjects notoriously weak passwords to attacks powered by the colossal compute of cloud servers. ®