lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 15 May 2014 06:39:25 GMT
From: harun.esur@...ptive.com
To: bugtraq@...urityfocus.com
Subject: Bilyoner mobile apps prone to various SSL/TLS attacks

=====================================================================
                                                  Sceptive Security Advisory

Synopsis:          Bilyoner mobile apps prone to various SSL/TLS attacks
Product:             Various mobile applications
Advisory URL:    http://sceptive.com/p/bilyoner-mobile-apps-prone-to-various-ssltls-attacks
Advisory number: CVE-2014-3750
Issue date:          2014-04-02
=====================================================================

1. Summary:

Bilyoner [1] is an online betting platform for various betting options on idda [2] , spor toto [3], milli piyango [4], tjk [5].

We have found that mobile apps vulnerable to SSL/TLS attacks which eventually lets attackers to gain sensitive information and hijack user sessions.

2. Description:

On misconfigured network environments it is possible to redirect HTTPS packets over MITM tools for SSL sessions.

When we redirected our network on such a configuration we have observed that app sends/receives user data unecrypted.

REQUEST

{
    "password": "333444",
    "sessionId": "9331b4c44edf7c72f4963bc1799416bd071b5eb2aa049ad7ce968b06965f444e",
    "username": "12312312"
}

And also session-id's are vulnerable for attackers to use on their own configurations to hijack other users' sessions. Such as;

RESPONSE

{
    "bilyonerCookies": {                                                                                                   
        "JSESSIONID": "RQdFTcnPydRypLXc71kXhYjBtN5p5sGT31GN4hvRlsN8qTz2GQ2T!-1656694263",        
         "NSC_wtfswfs-ttm": "ffffffffc3a0840e45525d5f4f58455e445a4a423660"
    },                                                                                                                     
    "bilyonerSessionId": "C1yTTcnP2wSnwyV2gstRkhrsBh8dsqJfvCYBFHqTGvVwhZSYhsJM!-1656694263!1394403087638",
    "sessionId": "9331b4c44edf7c72f4963bc1799416bd071b5eb2aa049ad7ce968b06965f444e"
}

3. Solution:

For Android apps it's advised to upgrade 2.3.1. For IOS platforms 4.6.2 is available..

4. Links:

[1] http://www.bilyoner.com/
[2] http://www.iddaa.com/
[3] https://www.sportoto.gov.tr/
[4] http://www.millipiyango.gov.tr/
[5] http://www.tjk.org/EN

5. Contact:

Harun Esur <harun.esur@...ptive.com>

Copyright 2014 Sceptive <http://sceptive.com>

=====================================================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ