Back to list
Birebin.com Android App SSL certificate validation weakness
Apr 24 2014 11:24AM
harun esur sceptive com
Title: Birebin.com Android App SSL certificate validation weakness
Birebin.com is an online betting web-site which also provides Android app. for the members to ease on betting.
We have found that Android app vulnerable to SSL mitm attacks (http://en.wikipedia.org/wiki/Man-in-the-middle_attack) which eventually let attackers to gather user name-password and session hijacking capabilities against app. users.
On misconfigured network environments it is possible to redirect HTTPS packets over MITM tools for SSL sessions.
When we redirected our network on such a configuration we have observed that app sends/receives user data unecrypted.
"UserName": "abc (at) abc (dot) com [email concealed]"
And also Token value which is used for session awarenes is vulnerable for attackers to use on their own configurations to hijack other users' sessions.
== Affected Version(s)
No verison is given in app. But we provide md5 hash of the vulnerable APK
MD5 (birebin-android-latest.apk) = 60bea6a1694b1ffc87c4dc3f2ba6a8be
No known fixes has been released yet.
[ reply ]
Copyright 2010, SecurityFocus