Archive

Posts Tagged ‘iPhone’

Security Advisory: Bambuser Mobile Application

October 3, 2012 Comments off

Security Advisory: Bambuser Mobile Application

  • Advisory Title: Bambuser Mobile Application Information Disclosure Vulnerability
  • Internal ID: STRATSEC-2012-002
  • External ID: CVE Pending
  • Date discovered: August 10, 2012
  • Date reported: August 10, 2012
  • Date published: October 3, 2012
  • Current status: Vendor fix is in place
  • Discovered by: Beau Woods, Stratigos Security
  • Vendor: Bambuser (bambuser.com)
  • Affected product: Bambuser mobile application
  • Platform: iOS (confirmed); likely other versions (unconfirmed)
  • Vulnerable Version: 1.9.3 (confirmed); likely previous versions (unconfirmed)
  • Severity: 4.7 (CVSS v2)

Stratigos Security became aware of a vulnerability in the Bambuser mobile application and reported the issue to Bambuser on August 10, 2012. Bambuser quickly responded, provided estimated timeline for the fix and notified Stratigos Security when the updated version was published. Stratigos Security has confirmed that this vulnerability has been fixed in the updated version.

The formal advisory is published here: Security Advisory STRAT-2012-002 Bambuser Mobile Application Information Disclosure Vulnerability

Security Advisory: Ustream Mobile Application

October 3, 2012 Comments off

Security Advisory: Ustream Mobile Application

  • Advisory Title: Ustream Mobile Application Information Disclosure Vulnerability
  • Internal ID: STRATSEC-2012-001
  • External ID: CVE Pending
  • Date discovered: August 6, 2012
  • Date reported: August 10, 2012
  • Date published: October 3, 2012
  • Current status: Reported to Vendor, not yet fixed
  • Discovered by: Beau Woods, Stratigos Security
  • Vendor: Ustream (USTREAM.TV)
  • Affected product: Ustream mobile application
  • Platform: iOS (confirmed); likely other versions (unconfirmed)
  • Version: 2.3.1 (confirmed); likely previous versions (unconfirmed)
  • Severity: 4.7 (CVSS v2)

Stratigos Security became aware of a vulnerability in the Ustream iOS application and reported the issue to Ustream on August 10, 2012. As of October 3, 2012 Ustream had not yet fixed the issue, nor did they have a projected date for issuing a fix. Therefore, Stratigos Security has gone ahead and released details of this as yet unpatched vulnerability to the public. We do not like to do this, nor do we take the decision lightly. However, given the fact that some individuals using the application are doing so under conditions whereby the information disclosed could lead to their identification by repressive governments and bodily harm to them or their friends and family, we are releasing this information publically. It is highly likely that those who would exploit the vulnerability already know about it, whereas the potential victims are likely unaware.

The formal advisory is published here: Security Advisory STRAT-2012-001 Ustream Mobile Application Information Disclosure Vulnerability

Clever Hack Makes In-App Purchases Free

July 13, 2012 Comments off

A Russian site today published a report that a simple and clever hack can allow Apple iOS in-app purchases to be made at no cost. The hack does not require the phone to be jailbroken.

To exploit the weakness in the in-app purchase, only two primary steps are required. First, an additional SSL certificate is installed on the device itself, which involves downloading the file and a couple of screen taps. The second and more difficult part requires control over the local network to create a custom DNS entry. (Stratigos Security researchers are looking at a way to simplify this.) When the iOS app then attempts to connect to Apple’s servers to make the purchase, the connection is redirected to a different server which provides a fraudulent authorization, which unlocks the in-game content. this poses a clear threat to Apple’s and game makers’ revenue.

But this could pose a risk to phone owners as well. If the app update mechanism or any other communication goes through this third-party server, it opens the possibility of introducing malicious code to the device. This is similar to other man-in-the-middle attacks facilitated by tools such as The Middler and Evilgrade. So device owners should consider these risks before carrying out these procedures.

At this time it is not yet possible to validate the Russian site’s story because the servers enabling it have been under heavy load and have apparently at least one has been taken down by the hosting provider from an Apple legal request. However, Stratigos Security researchers are working to independently confirm the issue in our lab.

UPDATE: A post on 9-to-5 Mac all but confirms the ability to circumvent the iOS App Store for in-app purchases. Other potential security issues have not yet been confirmed.

UPDATE: Macworld reports that both username and password are sent in plaintext to the server. This means that the server, or any attacker who successfully executes a man-in-the-middle-attack can access the victim’s credentials. These credentials are not just valid at the iOS App Store, but typically across multiple Apple properties and usually many others, due to password reuse. Instead, Apple should be protecting credentials on the device and sending the hash to the servers.

Categories: Cybersecurity Tags: , , , , ,