CVE-2014-2992 Misli.com Android App SSL certificate validation weakness

April 23, 2014

Misli.com is an online betting web-site which also provides Android app. for the members to ease on betting.

We have found that Android app vulnerable to SSL mitm attacks (http://en.wikipedia.org/wiki/Man-in-the-middle_attack) which eventually let attackers to gather user name-password and session hijacking capabilities against app. users.

Description

On misconfigured network environments it is possible to redirect HTTPS packets over MITM tools for SSL sessions.

When we redirected our network on such a configuration we have observed that app sends/receives user data unecrypted.

REQUEST

{
    "login": "abc@abc.com",
    "password": "123456",
    "sessionid": "5e8c1de7-229a-49cf-a6aa-30fa9be9c41d"
}

And also session-id's are vulnerable for attackers to use on their own configurations to hijack other users' sessions.

Affected Versions

No version is given in app. But we provide md5 hash of the vulnerable APK

MD5 (android.apk) = 35bb423c18e7269922d9610ef050b7ae

Fixes

No known fixes has been released yet.