- My Forums
- Tiger Rant
- LSU Recruiting
- SEC Rant
- Saints Talk
- Pelicans Talk
- More Sports Board
- Fantasy Sports
- Golf Board
- Soccer Board
- O-T Lounge
- Tech Board
- Home/Garden Board
- Outdoor Board
- Health/Fitness Board
- Movie/TV Board
- Book Board
- Music Board
- Political Talk
- Money Talk
- Fark Board
- Gaming Board
- Travel Board
- Food/Drink Board
- Ticket Exchange
- TD Help Board
Customize My Forums- View All Forums
- Show Left Links
- Topic Sort Options
- Trending Topics
- Recent Topics
- Active Topics
Started By
Message
1,500 iOS apps have HTTPS-crippling bug.
Posted on 4/20/15 at 4:29 pm
Posted on 4/20/15 at 4:29 pm
quote:
About 1,500 iPhone and iPad apps contain an HTTPS-crippling vulnerability that makes it easy for attackers to intercept encrypted passwords, bank-account numbers, and other highly sensitive information, according to research released Monday.
An estimated two million people have installed the vulnerable apps, which include the Citrix OpenVoice Audio Conferencing, the Alibaba.com mobile app, Movies by Flixster with Rotten Tomatoes, KYBankAgent 3.0, and Revo Restaurant Point of Sale, according to analytics service SourceDNA. The weakness is the result of a bug in an older version of the AFNetworking, an open-source code library that allows developers to drop networking capabilities into their apps. Although AFNetworking maintainers fixed the flaw three weeks ago with the release of version 2.5.2, at least 1,500 iOS apps remain vulnerable because they still use version 2.5.1. That version became available in January and introduced the HTTPS-crippling flaw.
"The issue occurs even when the mobile application requests the library to apply checks for server validation in SSL certificates," researchers Simone Bovi and Mauro Gentile wrote in a blog post published in late March. They went on to say that they analyzed one app running AFNetworking 2.5.1 and found alarming results. "We tested the app on a real device and, unexpectedly, we found that all the SSL traffic could be regularly intercepted through a proxy like Burp without any intervention!" (Emphasis is theirs.)
According to research published Monday by SourceDNA, about 1,500 iOS apps remain vulnerable to man-in-the-middle attacks that can decrypt HTTPS-encrypted data. To exploit the bug, attackers on a coffee shop Wi-Fi network or in another position to monitor the connection of a vulnerable device need only present it with a fraudulent secure sockets layer certificate. Under normal conditions the credential would immediately be detected as a counterfeit, and the connection would be dropped. But because of a logic error in the code of version 2.5.1, the validation check is never carried out, so fraudulent certificates are fully trusted.
This shite for real????
LINK
This post was edited on 4/20/15 at 4:30 pm
Posted on 4/20/15 at 5:09 pm to jeff5891
Well, there are probably very roughly around 1.5 million iPhone apps.
Posted on 4/20/15 at 8:43 pm to jeff5891
This is an example of how OSS can be terrible
Popular
Back to top
Follow TigerDroppings for LSU Football News