| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <160fa7e7b5a.c6ec9ba7252537.3294999212220694874@rapidlight.io> Date: Mon, 15 Jan 2018 13:44:41 -0200 From: Rodrigo Menezes <rodrigo@...idlight.io> To: "fulldisclosure" <fulldisclosure@...lists.org> Subject: Re: [FD] [CVE-2018-5258] Neon 1.6.14 for iOS Missing SSL Certificate Validation The three events listed with dates from January, 2017 on the "Timeline" section actually occurred on January, 2018. This is the correct timeline: ---- - [2017-12-30] First attempt to contact the vendor (no response). - [2018-01-06] Second attempt to contact the vendor. The vendor affirms the report will be forwarded to the app's development team, but does not provide a deadline for the release of an update addressing the issue. - [2018-01-13] Vendor is informed of the assignment of a CVE ID and the planned date for disclosure. The vendor affirms the issue is being investigated by the app's development team, not providing any new information. - [2018-01-15] Full disclosure. ---- A corrected version of the advisory will be sent to the list. I apologize for the mistake. ---- On Mon, 15 Jan 2018 04:29:54 -0200 Rodrigo Menezes <rodrigo@...idlight.io> wrote ---- Title ======== Neon 1.6.14 for iOS Missing SSL Certificate Validation Date ======== 2018-01-15 Author ======== Rodrigo Laneth Twitter: @rlaneth CVE-ID ======== CVE-2018-5258 Vendor ======== Banco Neon S.A. Software ======== Neon https://itunes.apple.com/app/neon/id1127996388 Version ======== 1.6.14 Previous versions have not been tested, but may also be affected. Platform ======== iOS Summary ======== The Neon app 1.6.14 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. Details ======== The app does not validate SSL certificates from the webapimethods.banconeon.com.br and servicos.banconeon.com.br hosts, allowing a man-in-the-middle attacker to silently intercept requests. In addition to SSL, the app implements a custom layer of encryption. It does not, however, serve as an effective protection against attacks. One of its weaknesses is that it encrypts sensitive data with AES using a key received from the server when the user logs in; although this key is RSA encrypted when transmitted, the private keys necessary for its decryption are hardcoded within the app, and therefore could be easily obtained by an attacker. Sensitive user information such as name, virtual card number, expiration date and verification code (CVV) have been confirmed to be recoverable through the exploitation of this vulnerability and the weaknesses present in the app's custom encryption layer. Response ======== Up to date, Banco Neon S.A. has not yet addressed this vulnerability. Timeline ======== - [2017-12-30] First attempt to contact the vendor (no response). - [2017-01-06] Second attempt to contact the vendor. The vendor affirms the report will be forwarded to the app's development team, but does not provide a deadline for the release of an update addressing the issue. - [2017-01-13] Vendor is informed of the assignment of a CVE ID and the planned date for disclosure. The vendor affirms the issue is being investigated by the app's development team, not providing any new information. - [2017-01-15] Full disclosure. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists