rlaneth/CVE-2018-5258.txt

## CVE-2018-5258.txt
Title
========
Neon 1.6.14 for iOS Missing SSL Certificate Validation

Date
========
2018-01-15

Author
========
Rodrigo Laneth
Twitter: @rlaneth

CVE-ID
========
CVE-2018-5258

Vendor
========
Banco Neon S.A.

Software
========
Neon
https://itunes.apple.com/app/neon/id1127996388

Version
========
1.6.14
Previous versions have not been tested, but may also be affected.

Platform
========
iOS

Summary
========
The Neon app 1.6.14 for iOS does not verify X.509 certificates from SSL servers,
which allows man-in-the-middle attackers to spoof servers and obtain sensitive
information via a crafted certificate.

Details
========
The app does not validate SSL certificates from the
webapimethods.banconeon.com.br and servicos.banconeon.com.br hosts, allowing a
man-in-the-middle attacker to silently intercept requests.

In addition to SSL, the app implements a custom layer of encryption. It does
not, however, serve as an effective protection against attacks. One of its
weaknesses is that it encrypts sensitive data with AES using a key received from
the server when the user logs in; and although this key is RSA encrypted when
transmitted, the private keys necessary for its decryption are hardcoded within
the app, and therefore could be easily obtained by an attacker.

Sensitive user information such as name, virtual card number, expiration date
and verification code (CVV) have been confirmed to be recoverable through the
exploitation of this vulnerability and the weaknesses present in the app's
custom encryption layer.

Response
========
Up to date, Banco Neon S.A. has not yet addressed this vulnerability.

Timeline
========
- [2017-12-30] First attempt to contact the vendor (no response).

- [2018-01-06] Second attempt to contact the vendor. The vendor affirms the
  report will be forwarded to the app's development team, but does not provide a
  deadline for the release of an update addressing the issue.

- [2018-01-13] Vendor is informed of the assignment of a CVE ID and the planned
  date for disclosure. The vendor affirms the issue is being investigated by the
  app's development team, not providing any new information.

- [2018-01-15] Full disclosure.
	Title
	========
	Neon 1.6.14 for iOS Missing SSL Certificate Validation

	Date
	========
	2018-01-15

	Author
	========
	Rodrigo Laneth
	Twitter: @rlaneth

	CVE-ID
	========
	CVE-2018-5258

	Vendor
	========
	Banco Neon S.A.

	Software
	========
	Neon
	https://itunes.apple.com/app/neon/id1127996388

	Version
	========
	1.6.14
	Previous versions have not been tested, but may also be affected.

	Platform
	========
	iOS

	Summary
	========
	The Neon app 1.6.14 for iOS does not verify X.509 certificates from SSL servers,
	which allows man-in-the-middle attackers to spoof servers and obtain sensitive
	information via a crafted certificate.

	Details
	========
	The app does not validate SSL certificates from the
	webapimethods.banconeon.com.br and servicos.banconeon.com.br hosts, allowing a
	man-in-the-middle attacker to silently intercept requests.

	In addition to SSL, the app implements a custom layer of encryption. It does
	not, however, serve as an effective protection against attacks. One of its
	weaknesses is that it encrypts sensitive data with AES using a key received from
	the server when the user logs in; and although this key is RSA encrypted when
	transmitted, the private keys necessary for its decryption are hardcoded within
	the app, and therefore could be easily obtained by an attacker.

	Sensitive user information such as name, virtual card number, expiration date
	and verification code (CVV) have been confirmed to be recoverable through the
	exploitation of this vulnerability and the weaknesses present in the app's
	custom encryption layer.

	Response
	========
	Up to date, Banco Neon S.A. has not yet addressed this vulnerability.

	Timeline
	========
	- [2017-12-30] First attempt to contact the vendor (no response).

	- [2018-01-06] Second attempt to contact the vendor. The vendor affirms the
	report will be forwarded to the app's development team, but does not provide a
	deadline for the release of an update addressing the issue.

	- [2018-01-13] Vendor is informed of the assignment of a CVE ID and the planned
	date for disclosure. The vendor affirms the issue is being investigated by the
	app's development team, not providing any new information.

	- [2018-01-15] Full disclosure.