There was recently a security vulnerability reported to the Crosswalk team. This vulnerability report as documented by Nightwatch Cybersecurity ( https://wwws.nightwatchcybersecurity.com/) is as follows:
*Vulnerability:* *==============* ** Software/Product(s) containing the vulnerability:* *Crosswalk project* ** Please describe the vulnerability:* *If an MITM proxy is used for SSL, the application shows an error message about an invalid SSL certificate. If the user presses "OK", all future communication accepts any SSL certificate even if not valid.* *Contrast this with regular Android / iOS applications where each network request re-checks if the certificate is valid.* *Anyone using Crosswalk project to build an app is affected.* ** How may an attacker exploit this vulnerability?* *Users of app can be fooled into using the app even with an error* ** What is the impact of exploiting this vulnerability?* *Get user's data* ** How did you find the vulnerability?* *manual test of Fastmail Android app* This issue has been resolved and is fixed in all current versions of Crosswalk. Specifically, the fix was introduced in: - 19.49.514.5 (stable) - 20.50.533.11 (beta) - 21.51.546.0 (beta) - 22.51.549.0 (canary) These updates can be found at the following URLs: - https://download.01.org/crosswalk/releases/crosswalk/android/stable/ - https://download.01.org/crosswalk/releases/crosswalk/android/beta/ - https://download.01.org/crosswalk/releases/crosswalk/android/canary/ The Crosswalk Project thanks Nightwatch Cybersecurity for responsibly reporting this issue and working with us to responsibly disclose the issue to the Crosswalk community and the public. Ryan Ware
_______________________________________________ Crosswalk-help mailing list [email protected] https://lists.crosswalk-project.org/mailman/listinfo/crosswalk-help
