Created
January 15, 2018 15:53
-
-
Save rlaneth/d2203c206d5d5acbdaf6069e78b1d07f to your computer and use it in GitHub Desktop.
[CVE-2018-5258] Neon 1.6.14 for iOS Missing SSL Certificate Validation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Title | |
======== | |
Neon 1.6.14 for iOS Missing SSL Certificate Validation | |
Date | |
======== | |
2018-01-15 | |
Author | |
======== | |
Rodrigo Laneth | |
Twitter: @rlaneth | |
CVE-ID | |
======== | |
CVE-2018-5258 | |
Vendor | |
======== | |
Banco Neon S.A. | |
Software | |
======== | |
Neon | |
https://itunes.apple.com/app/neon/id1127996388 | |
Version | |
======== | |
1.6.14 | |
Previous versions have not been tested, but may also be affected. | |
Platform | |
======== | |
iOS | |
Summary | |
======== | |
The Neon app 1.6.14 for iOS does not verify X.509 certificates from SSL servers, | |
which allows man-in-the-middle attackers to spoof servers and obtain sensitive | |
information via a crafted certificate. | |
Details | |
======== | |
The app does not validate SSL certificates from the | |
webapimethods.banconeon.com.br and servicos.banconeon.com.br hosts, allowing a | |
man-in-the-middle attacker to silently intercept requests. | |
In addition to SSL, the app implements a custom layer of encryption. It does | |
not, however, serve as an effective protection against attacks. One of its | |
weaknesses is that it encrypts sensitive data with AES using a key received from | |
the server when the user logs in; and although this key is RSA encrypted when | |
transmitted, the private keys necessary for its decryption are hardcoded within | |
the app, and therefore could be easily obtained by an attacker. | |
Sensitive user information such as name, virtual card number, expiration date | |
and verification code (CVV) have been confirmed to be recoverable through the | |
exploitation of this vulnerability and the weaknesses present in the app's | |
custom encryption layer. | |
Response | |
======== | |
Up to date, Banco Neon S.A. has not yet addressed this vulnerability. | |
Timeline | |
======== | |
- [2017-12-30] First attempt to contact the vendor (no response). | |
- [2018-01-06] Second attempt to contact the vendor. The vendor affirms the | |
report will be forwarded to the app's development team, but does not provide a | |
deadline for the release of an update addressing the issue. | |
- [2018-01-13] Vendor is informed of the assignment of a CVE ID and the planned | |
date for disclosure. The vendor affirms the issue is being investigated by the | |
app's development team, not providing any new information. | |
- [2018-01-15] Full disclosure. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment