CVE-2014-2993 Birebin.com Android App SSL certificate validation weakness

April 23, 2014

Birebin.com is an online betting web-site which also provides Android app. for the members to ease on betting.

We have found that Android app vulnerable to SSL mitm attacks (http://en.wikipedia.org/wiki/Man-in-the-middle_attack) which eventually let attackers to gather user name-password and session hijacking capabilities against app. users.

Description

On misconfigured network environments it is possible to redirect HTTPS packets over MITM tools for SSL sessions.

When we redirected our network on such a configuration we have observed that app sends/receives user data unecrypted.

REQUEST

{
    "Password": "123456",
    "UserName": "abc@abc.com"
    }

And also Token value which is used for session awarenes is vulnerable for attackers to use on their own configurations to hijack other users' sessions.

Affected Version(s)

No verison is given in app. But we provide md5 hash of the vulnerable APK

MD5 (birebin-android-latest.apk) = 60bea6a1694b1ffc87c4dc3f2ba6a8be

Fixes

No known fixes has been released yet.