Industry News

CyanogenMod-Powered Users Susceptible to Man-in-the-middle Attacks

CyanogenMod-Powered Users Susceptible to Man-in-the-middle Attacks

CyanogenMod-Powered Users Susceptible to Man-in-the-middle AttacksAndroid users running the popular CyanogenMod third-party ROM could fall victim to man-in-the-middle (MitM) attacks, apparently possible because of the re-use of sample Java code.

According to a news report from The Register, CyanogenMod developers re-used a snippet of code provided by Oracle as proof of concept code to process SSL certificates and validate hostnames. The 10 year old piece of code, publicly available on GitHub, is known to contain flaws which allow attackers to pass a SSL certificate as valid for a different one and still pass the scrutiny of certificate Authorities.

“If you go and create a SSL certificate for a domain you own, say evil.com and in an element of the certificate signing request such as the ‘organization name’ field you put the ‘value, cn=*domain name*, it will be accepted as the valid domain name for the certificate,” the researcher claiming the discovery, said. “Since CyanogenMod uses this implementation for its browsers so you can go now and MitM someone’s phone,” he added.

Bogdan Botezatu, Senior E-Threat Analyst, said:

“Vulnerabilities that affect the digital trust chain can deal a devastating blow to mobile users who are already spending significant time connected to insecure networks. Fortunately, the bug affects CyanogenMod only, a mobile OS that enjoys constant patching and frequent automatic updates, unlike proprietary ROMs.”

The vulnerability was apparently first disclosed in 2012. Bitdefender advises Cyanogen users to update their system as soon as possible.

About the author

Alexandra GHEORGHE

Alexandra started writing about IT at the dawn of the decade - when an iPad was an eye-injury patch, we were minus Google+ and we all had Jobs. She has since wielded her background in PR and marketing communications to translate binary code to colorful stories that have been known to wear out readers' mouse scrolls. Alexandra is also a social media enthusiast who 'likes' only what she likes and LOLs only when she laughs out loud.

1 Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.