lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 11 Nov 2014 18:50:52 -0300
From: Programa STIC <stic@...dacionsadosky.org.ar>
To: fulldisclosure@...lists.org
Subject: [FD] Missing SSL certificate validation in MercadoLibre app for
 Android [STIC-2014-0211]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	Fundación Dr. Manuel Sadosky - Programa STIC Advisory
		www.fundacionsadosky.org.ar

Missing SSL certificate validation in MercadoLibre app for Android

1. *Advisory Information*

Title: Missing SSL cert validation in MercadoLibre app for Android
Advisory ID: STIC-2014-0211
Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2
Date published: 2014-11-11
Date of last update: 2014-11-10
Vendors contacted: MercadoLibre (NASDAQ:MELI)
Release mode: Coordinated release


2. *Vulnerability Information*

Class: Improper Following of a Certificate's Chain of Trust [CWE-296]
Impact: Data loss
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Identifier: CVE-2014-5658


3. *Vulnerability Description*

   MercadoLibre (NASDAQ:MELI) is an online trading company focused on
enabling e-commerce and its related services in Latin America.
According to the company[1] MercadoLibre is the largest e-commerce
ecosystem in Latin America, offering a wide range of services to
sellers and buyers throughout the region including marketplace,
payments, advertising and e-building solutions. It operates in 13
countries including Argentina, Brazil, Chile, Colombia, Mexico, Peru,
and Venezuela.

    The company provides services to its users through a set of
country-localized web applications and an Android application that is
available for download in Argentina, Brasil, Chile, Colombia, Costa
Rica, Ecuador, México, Panamá, Perú, Portugal, República Dominicana,
Uruguay y Venezuela. As of November, 2014 the application has between
10 and 50 million installations according to Google Play statistics[2].

    Vulnerable versions of the MercadoLibre's app for Android do not
validate the SSL certificate presented by the server. This allows
attackers to present fake certificates and perform Man-in-the-Middle
attacks allowing them to capture user's credentials to the site and
credit card information.

    The vendor fixed the problem in the latest version of the
applications. Users are advised to update their app as soon as possible.


4. *Vulnerable packages*

   . MercadoLibre for Android prior to 3.10.6.

5. *Vendor Information, Solutions and Workarounds*

     MercadoLibre acknowledged and fixed the vulnerability in version
3.10.6. They did so by updating the LoopJ Asynchronous Http Client
library to a version that does not skip the certificate validation
process by default.

      To determine which version of the application you have installed
on your Android device, go to "Settings|application settings|manage
application" then tap on the MercadoLibre app.


6. *Credits*
This vulnerability was discovered and researched by Joaquín Manuel
Rinaudo. The publication of this advisory was coordinated by Programa
de Seguridad en TIC.
      Will Dormann of CERT/CC independently discovered the SSL
certificate validation vulnerability using the CERT Tapioca tool.[5]

7. *Technical Description*

      MercadoLibre Android's application uses the LoopJ Android
Asynchornous HTTP client library [3] to communicate with the company's
web services. HTTP requests destined to the server are passed through
the 'MLAPIClient' interface to this library, which is responsible for
establishing a secure connection.

      The vulnerability is found in the class 'AsyncHttpClient' inside
the loopj library, which uses the class 'FakeSocketFactory' to set up
new sockets used to connect to remote web services. The sockets
created use a custom X509TrustManager named 'FakeTrustManager'. The
TrustManager's task is to verify that the SSL certificate presented by
the server is valid in order to prevent Man-in-the-Middle attacks.
Since 'FakeTrustManager' is just an empty implementation, all SSL
certificates presented to it will be considered valid. This allows an
attacker to mount a MITM attack to capture user authentication
credentials and other security-sensitive data by intercepting traffic,
creating fake X509 certificates on the fly and submitting them to
MercadoLibre's Android application.


8. *Report Timeline*

. 2014-09-02:

        Initial contact with the vendor requesting security contact
information to report vulnerabilities.

. 2014-09-09:
        Security contact information provided

. 2014-09-09:
	Programa de Seguridad en TIC sent the vendor a description of the
vulnerability notifying them also that CERT/CC[5] had published a
document listing applications that failed to validate SSL certificates
that included the MercadoLibre app, making the vulnerability now public.

. 2014-09-09:
	The vendor acknowledged the vulnerability and assured that the
problem was being addressed.

. 2014-09-09:
	Programa de Seguridad en TIC sent description of the ongoing research
project in which the vulnerabilitty was discovered as well as
reference to the vulnerability disclosure policy and procedures[4].

. 2014-09-17:
	Programa de Seguridad en TIC requested an status update and estimated
date for the release of a fixed version of the app.

. 2014-09-17:
           The vendor replied that the mobile team was working on the
problem, doing an assessment of the impact of the required change and
that the estimated date for a fix would be determined after that.

. 2014-09-17:
	Programa de Seguridad en TIC asks for an status update and estimated
date for the release of a fixed version fo the app.

. 2014-09-17:
        The vendor indicated that impact assessment was focused on
determining the number of users that would not be able to use the
fixed app due to a Certification Authority (CA) missing in older
versions of the Android keystore.

. 2014-09-18:
	Programa de Seguridad en TIC sent email detailing legal personal data
protection obligations[6] that apply to companies operating in
Argentina, a link to the US Federal Trade Commision case with Fandango
and Credit Karma[7] and points out MercadoLibre's security clause in
its own privacy policy statement[8].
        Programa de Seguridad en TIC suggests that the impact of a set
of users not being able to use the fixed app should be weighted
against the potential business risk of leaving the entire user base of
the Android app vulnerable to account hijacking attacks.

. 2014-09-22:
       Vendor replies that the risks are clearly understood and that
there is no question about whether the bug will or will not be fixed.
The vulnerability WILL be fixed. For further discussion Programa de
Seguridad en TIC can refer to the vendor's chief security officer.


. 2014-09-22:
	Programa de Seguridad en TIC thanks the vendor for its prompt
response and reminds that all communications regarding the report
should be carried over email so they can be documented and summarized
in the corresponding section of the security advisory as described in
the reporter's vulnerability reporting and disclosure procedure.

. 2014-09-24:
       Vendors informs that an updated app (version 3.10.6) fixing the
SSL certificate validation problem was rolled out and was already
available to 1% of the users.

. 2014-09-27:
       The vendor informed that the MercadoLibre app version 3.10.6
was publicly available

. 2014-10-24:
	Programa de Seguridad en TIC informs vendor that although it did not
receive further information about availability of the new version of
the app, it assumed that by now it was available to 100% of the
affected users and therefore will proceed with the publication of the
security advisory the next monday.

. 2014-11-07:
        A new version of the MercadoLibre application was published on
the Google Play market

. 2014-11-11:
        The advisory was released.

9. *References*

[1] About MercadoLibre
    http://investor.mercadolibre.com/
[2] MercadoLibre for Android
    https://play.google.com/store/apps/details?id=com.mercadolibre
[3] LoopJ Asyncrhonous HTTP Client
    https://github.com/loopj/android-async-http
[4] Programa STIC - Vulnerability Reporting and Disclosure Procedure
    http://www.fundacionsadosky.org.ar/procedimiento-stic
[5] Vulnerability Note VU#582497. Multiple Android applications fail
to properly validate SSL certificates.
    http://www.kb.cert.org/vuls/id/582497
[6] Ley 25.326 de Protección de los Datos Personales, Argentina.

http://www.jus.gob.ar/datos-personales/cumpli-con-la-ley/%C2%BFcuales-son-tus-obligaciones.aspx
[7] Fandango, Credit Karma Settle FTC Charges that They Deceived
Consumers By Failing to Securely Transmit Sensitive Personal Information.

http://www.ftc.gov/news-events/press-releases/2014/03/fandango-credit-karma-settle-ftc-charges-they-deceived-consumers
[8] Políticas de privacidad y confidencialidad de la información,
MercadoLibre.
    http://ayuda.mercadolibre.com.ar/seguro_privacidad

10. *About Fundación Dr. Manuel Sadosky*

The Dr. Manuel Sadosky Foundation is a mixed (public / private)
institution whose goal is to promote stronger and closer interaction
between industry and the scientific-technological system in all
aspects related to Information and Communications Technology (ICT).
The Foundation was formally created by a Presidential Decree in 2009.
Its Chairman is the Minister of Science, Technology, and Productive
Innovation of Argentina; and the Vice-chairmen are the chairmen of the
country’s most important ICT chambers: The Software and Computer
Services Chamber (CESSI) and the Argentine Computing and
Telecommunications Chamber (CICOMRA). For more information visit:
http://www.fundacionsadosky.org.ar

11. *Copyright Notice*

The contents of this advisory are copyright (c) 2014 Fundación Sadosky
and are licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 4.0 License: http://creativecommons.org/licenses/by-nc-sa/4.0/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJUYoS7AAoJEOAj8IJkRx2rCj0QAKoBO6jPwRUqa8pi+Ncr9mut
hazeV8YATvaeFqwXelQnX6cBxGZ7nFsInVV309vCScRIl6/4sep01Jye7HpqLJwg
uv8b9tqcZ3jcuHwN9HhUQawLC6IFBJcge8HT2t5E/aFt1RxBsoefdOFe0YN5glCW
isADmMQ4ajCksiMdMIuBTtXL4UN0BltB2jUC7N+ZSZ4TNEuZWqTt73LdtEJA3eY/
RaeKirlXc6vtrLNwGDGZWEwsvl2AFaK9N50swrQH4QgwrYgOHvKiWOFfCHncRGYH
Jr8/akIXFA342zcwXNxyGDtLDEL5rG4fWAn4ClBCSbzhKfPVoTawqJVQEKaFllGx
MEUiLDSPgaxOvh/ox5IEl1+va2YCL3/Yoq8GxbJsNmRURoqcEsosARMpTSSM6CUU
7MX/pn1K4Tkci4MecusGrQZ9aB038+BKHQDudvuczCEkudjMAoZ5BvkEYOymMbK2
RZvPdwWl0AT/yZr3cbIPPrxyNUiUsfF3Kc2p1tsQgrgpjJGcGj3SLa+0RZ7Hmkui
yaFoal82bQrxXL3YRqVa1w7UxDSzVdLelXubuhttCfV68V6MZFpUWMNAygrdsW7H
K44UeW3Pfsv3ri1Sulk38dOtfeFiOYRrYPQTS7RR9lU9mjXzxdig/owtojlSF47d
b3z5br4ICd6PUfahS0PZ
=FMUl
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ