lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAHmS9PLAb3FSPnKtZnmTFX3ms357tiwRbJZMvT9zEz4mZphqpA@mail.gmail.com>
Date: Tue, 26 May 2015 21:25:10 -0400
From: David Coomber <davidcoomber.infosec@...il.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com, vuln@...unia.com,
  cert@...t.org
Subject: Thycotic Password Manager Secret Server iOS Application - MITM SSL
 Certificate Vulnerability

Thycotic Password Manager Secret Server iOS Application - MITM SSL
Certificate Vulnerability
--
http://www.info-sec.ca/advisories/Thycotic-SecretServer.html

Overview
"With the Password Manager Secret Server app, you can access passwords
for an EXISTING on-premise Secret Server or Secret Server Online
account."

"This password app combines enterprise-level security with home-user
simplicity, making it a convenient choice for both IT professionals
AND home users."

"Count on Extreme Security:
Your passwords are safely stored on a secure server-not on your phone.
You get top-level AES 256 bit encryption.
You get a personal pin code lock for an additional layer of security.
A built-in password generator creates strong, unique passwords.
Your data is backed by a leading enterprise password management platform."

"Safe Storage for:
Enterprise-level or personal passwords.
Bank account and tax numbers.
ATM Pins.
Social security numbers.
Credit card numbers.
Combination lock numbers"

(https://itunes.apple.com/us/app/password-manager-secret-server/id327380697)

Issue
The Thycotic Password Manager Secret Server iOS application does not
validate the SSL certificate it receives when connecting to a secure
site.

Impact
An attacker could perform a man in the middle attack by presenting a
bogus SSL certificate which the application will accept silently.
Usernames, passwords and sensitive information could be captured by an
attacker without the user's knowledge.

Timeline
February 1, 2015 - Notified Thycotic via security@...cotic.com, e-mail bounced
February 1, 2015 - Resent to secure@...cotic.com & info@...cotic.com,
e-mail to secure@...cotic.com bounced
February 2, 2015 - Thycotic confirmed the vulnerability and advised
that an update to resolve the issue would be released by the end of
the week
February 12, 2015 - Thycotic advised that the update will be released shortly
February 24, 2015 - Thycotic advised that the update has been pushed
out for another month or two
March 21, 2015 - Thycotic advised that the update has been provided to
Apple for their verification
May 26, 2015 - Thycotic released the Thycotic PAM iOS application
which they state is a replacement for the Thycotic Secret Server iOS
application

Solution
Thycotic has chosen to release a new application instead of updating
the existing Secret Server application. If you use the Secret Server
iOS application, you'll likely want to log in to your Secret Server
instance or https://secretserveronline.com with a browser, change your
password(s) and decide if you want to use the new application.

https://itunes.apple.com/us/app/thycotic-pam/id979011770

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ