According to a news report from The Register, CyanogenMod developers re-used a snippet of code provided by Oracle as proof of concept code to process SSL certificates and validate hostnames. The 10 year old piece of code, publicly available on GitHub, is known to contain flaws which allow attackers to pass a SSL certificate as valid for a different one and still pass the scrutiny of certificate Authorities.
“If you go and create a SSL certificate for a domain you own, say evil.com and in an element of the certificate signing request such as the ‘organization name’ field you put the ‘value, cn=*domain name*, it will be accepted as the valid domain name for the certificate,” the researcher claiming the discovery, said. â€œSince CyanogenMod uses this implementation for its browsers so you can go now and MitM someone’s phone,â€ he added.
Bogdan Botezatu,Â Senior E-Threat Analyst, said:
“Vulnerabilities that affect the digital trust chain can deal a devastating blow to mobile users who are already spending significant time connected to insecure networks. Fortunately, the bug affects CyanogenMod only, a mobile OS that enjoys constant patching and frequent automatic updates, unlike proprietary ROMs.”
The vulnerability was apparently first disclosed in 2012. Bitdefender advises Cyanogen users to update their system as soon as possible.