Security Vulnerability in popular mobile app, what do?
I discovered a security vulnerability in a fairly popular mobile app. So i submitted a bug report and - surprise, surprise - no reaction.
The app in question fails to validate the ssl certificates of the app services server it communicates with. This means man in the middle attacks are possible.
If you don't know what that means: this is one step before not using SSL at all. Without SSL, everyone intercepting your traffic can read it. With SSL, but without certificate validation (the app accepts any certificate presented to it), you have to pretend to be the server (intercept the traffic to it; there are several ways to do this and it depends on weather you are using g3, wifi or what ever. But running your own DNS or DHCP server with custom features on an open wlan is certainly one of them) and get to see what the client sends. You can forward the clients requests to the real server, if you like, but the client will have no idea it is not communicating with the real server either way.
I'd say this is worth fixing and my first knee-jerk reaction would have been to just spill the beans. But maybe someone has some good advice how to go forward with this.
2 comments
[ 1.4 ms ] story [ 12.7 ms ] thread1. Discover vulnerability 2. Inform vendor, tell them they'll have x weeks before general disclosure 3. After x weeks, post it to the relevant place on seclists.org