Back to list
Misli.com Android App SSL certificate validation weakness
Apr 24 2014 11:57AM
harun esur sceptive com
Title: Misli.com Android App SSL certificate validation weakness
Advisory URL: http://sceptive.com/p/mislicom-android-app-ssl-certificate-validation-we
Misli.com is an online betting web-site which also provides Android app. for the members to ease on betting.
We have found that Android app vulnerable to SSL mitm attacks (http://en.wikipedia.org/wiki/Man-in-the-middle_attack) which eventually let attackers to gather user name-password and session hijacking capabilities against app. users.
On misconfigured network environments it is possible to redirect HTTPS packets over MITM tools for SSL sessions.
When we redirected our network on such a configuration we have observed that app sends/receives user data unecrypted.
"login": "abc (at) abc (dot) com [email concealed]",
And also session-id's are vulnerable for attackers to use on their own configurations to hijack other users' sessions.
== Affected Versions
No known version is given in app. But we provide md5 hash of the vulnerable APK
MD5 (android.apk) = 35bb423c18e7269922d9610ef050b7ae
No known fixes has been released yet.
[ reply ]
Copyright 2010, SecurityFocus