lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAAyEnSMFengN1Jt19tPz4J8OrWFWTPWNA94n4FEXR0CxQrcZbA@mail.gmail.com>
Date: Wed, 14 Sep 2016 19:35:11 -0400
From: Nightwatch Cybersecurity <research@...htwatchcybersecurity.com>
To: fulldisclosure@...lists.org
Subject: [FD] Insecure transmission of data in Android applications
 developed with Adobe AIR [CVE-2016-6936]

Original at:
https://wwws.nightwatchcybersecurity.com/2016/09/14/advisory-insecure-transmission-of-data-in-android-applications-developed-with-adobe-air-cve-2016-6936/

Summary

Android applications developed with Adobe AIR send data back to Adobe
servers without HTTPS while running. This can allow an attacker to
compromise the privacy of the applications’ users. This has been fixed
in Adobe AIR SDK release v23.0.0.257.

Details

Adobe AIR is a developer product which allows the same application
code to be compiled and run across multiple desktop and mobile
platforms. While monitoring network traffic during testing of several
Android applications we observed network traffic over HTTP without the
use of SSL going to several Adobe servers including the following:

- airdownload2.adobe.com
- mobiledl.adobe.com

Because encryption is not used, this would allow a network-level
attacker to observe the traffic and compromise the privacy of the
applications’ users.

This affects applications compiled with the Adobe AIR SDK versions
22.0.0.153 and earlier.

Vendor Response

Adobe has released a fix for this issue on September 13th, 2016 in
Adobe AIR SDK v23.0.0.257. Developers should update and rebuild their
application using the latest SDK.

References

Adobe Security Bulletin: ASPB16-31
CVE: CVE-2016-6936

Timeline

2016-06-15: Report submitted to Adobe’s HackerOne program
2016-06-16: Report out of scope for this program, directed to Adobe’s PSIRT
2016-06-16: Submitted via email to Adobe’s PSIRT
2016-06-17: Reply received from PSIRT and a ticket number is assigned
2016-09-09: Response received from the vendor that the fix will be
released next week
2016-09-13: Fix released
2016-09-14: Public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ