[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] [CVE-2018-5258] Neon 1.6.14 for iOS Missing SSL Certificate Validation
- From: Rodrigo Menezes <rodrigo AT rapidlight.io>
- Subject: [FD] [CVE-2018-5258] Neon 1.6.14 for iOS Missing SSL Certificate Validation
- Date: Mon, 15 Jan 2018 04:29:54 -0200
- Arc-authentication-results: i=1; mx.google.com; dkim=neutral (body hash did not verify) firstname.lastname@example.org header.s=zoho header.b=d2fWEntK; spf=pass (google.com: domain of fulldisclosure-bounces AT seclists.org designates 2600:3c01::f03c:91ff:fe98:ff4e as permitted sender) smtp.mailfrom=fulldisclosure-bounces AT seclists.org
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:in-reply-to:message-id:to:from:date:dkim-signature :delivered-to:arc-authentication-results; bh=7FQgL2ihzE5cH7xAp4/wCsFI/sNgqUESCSAJmOkaCLo=; b=AMqOs3LKzC9Rb7/d0YJ6DbdbJodfUHIQOlUa+SblijzwUyCnvUYMc9JPWL4X7+LXTG diDIUKX8nPZKcon1rVUYWIYyfuOWBZEUzBkiEa1IGYLWG98GurLd/9Ndj7nkbr4HqO2Z AqFq93z7sMTjD9IzWs+dGZvCilLAwVK0dob05klZVpy+3Aek0Uo3aWcBs5V2feZfltJe 4sEEXhpBJ7HLFgOfuoVubYNUIXpSRXqXsze5yAQJCtlyerg8tpP8BJFn6KoCqfwJVWna vrck2SohE8NDbJYJ6Gb8iBdVH5t/oNUJAVTc1bCt/sDdG77/+TOVefw3qWHuZx9j4uTl 8KjQ==
- Arc-seal: i=1; a=rsa-sha256; t=1516140885; cv=none; d=google.com; s=arc-20160816; b=Qsz34vXuNU5f0+N0nctmDPfgrdNtYogxuwaJnNaXa57OyYDUUeb36iQPgbIX0sUuUR cDro56iEhGtfVkrwCZfFU3Vv/ChcifW8xt6wpkzgGHP2QuhG+52NYiUXmfHEFZbaCll6 sQ6FvevU/dJuMK49PpYTEgp9Hoc7c88cbuMSqDUawomdkYn74mxaOU4edDRo5aKW9rc/ Kc0LypD6yMuNpVgFkAttxNFY/oESg5H+2FgdgEUO7RvEzV7v052XqbeB18ENrx6qQ4oy azyHqcoPxAF8mxOb29RvOU9ROCcpsO84Iyxi44FLZhKhmjjHUKa128jjno2dIVs4Nn5C Ty2w==
- Sender: "Fulldisclosure" <fulldisclosure-bounces AT seclists.org>
- To: "fulldisclosure" <fulldisclosure AT seclists.org>
Neon 1.6.14 for iOS Missing SSL Certificate Validation
Banco Neon S.A.
Previous versions have not been tested, but may also be affected.
The Neon app 1.6.14 for iOS does not verify X.509 certificates from SSL servers,
which allows man-in-the-middle attackers to spoof servers and obtain sensitive
information via a crafted certificate.
The app does not validate SSL certificates from the
webapimethods.banconeon.com.br and servicos.banconeon.com.br hosts, allowing a
man-in-the-middle attacker to silently intercept requests.
In addition to SSL, the app implements a custom layer of encryption. It does
not, however, serve as an effective protection against attacks. One of its
weaknesses is that it encrypts sensitive data with AES using a key received from
the server when the user logs in; although this key is RSA encrypted when
transmitted, the private keys necessary for its decryption are hardcoded within
the app, and therefore could be easily obtained by an attacker.
Sensitive user information such as name, virtual card number, expiration date
and verification code (CVV) have been confirmed to be recoverable through the
exploitation of this vulnerability and the weaknesses present in the app's
custom encryption layer.
Up to date, Banco Neon S.A. has not yet addressed this vulnerability.
- [2017-12-30] First attempt to contact the vendor (no response).
- [2017-01-06] Second attempt to contact the vendor. The vendor affirms the
report will be forwarded to the app's development team, but does not provide a
deadline for the release of an update addressing the issue.
- [2017-01-13] Vendor is informed of the assignment of a CVE ID and the planned
date for disclosure. The vendor affirms the issue is being investigated by the
app's development team, not providing any new information.
- [2017-01-15] Full disclosure.
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/