Bilyoner mobile apps prone to various SSL/TLS attacks
=
Sceptive Security Advisory
Synopsis: Bilyoner mobile apps prone to various SSL/TLS attacks
Product: Various mobile applications
Advisory URL:
http://sceptive.com/p/bilyoner-mobile-apps-prone-to-various-ssltls-attacks
Advisory number: CVE-2014-3750
Issue date: 2014-04-02
=
1. Summary:
Bilyoner [1] is an online betting platform for various betting options on idda
[2] , spor toto [3], milli piyango [4], tjk [5].
We have found that mobile apps vulnerable to SSL/TLS attacks which eventually
lets attackers to gain sensitive information and hijack user sessions.
2. Description:
On misconfigured network environments it is possible to redirect HTTPS packets
over MITM tools for SSL sessions.
When we redirected our network on such a configuration we have observed that
app sends/receives user data unecrypted.
REQUEST
{
password: 333444,
sessionId:
9331b4c44edf7c72f4963bc1799416bd071b5eb2aa049ad7ce968b06965f444e,
username: 12312312
}
And also session-id's are vulnerable for attackers to use on their own
configurations to hijack other users' sessions. Such as;
RESPONSE
{
bilyonerCookies: {
JSESSIONID:
RQdFTcnPydRypLXc71kXhYjBtN5p5sGT31GN4hvRlsN8qTz2GQ2T!-1656694263,
NSC_wtfswfs-ttm: c3a0840e45525d5f4f58455e445a4a423660
},
bilyonerSessionId:
C1yTTcnP2wSnwyV2gstRkhrsBh8dsqJfvCYBFHqTGvVwhZSYhsJM!-1656694263!1394403087638,
sessionId:
9331b4c44edf7c72f4963bc1799416bd071b5eb2aa049ad7ce968b06965f444e
}
3. Solution:
For Android apps it's advised to upgrade 2.3.1. For IOS platforms 4.6.2 is
available..
4. Links:
[1] http://www.bilyoner.com/
[2] http://www.iddaa.com/
[3] https://www.sportoto.gov.tr/
[4] http://www.millipiyango.gov.tr/
[5] http://www.tjk.org/EN
5. Contact:
Harun Esur harun.e...@sceptive.com
Copyright 2014 Sceptive http://sceptive.com
=
Misli.com Android App SSL certificate validation weakness
Title: Misli.com Android App SSL certificate validation weakness
Advisory URL:
http://sceptive.com/p/mislicom-android-app-ssl-certificate-validation-weakness-
== Overview
Misli.com is an online betting web-site which also provides Android app. for
the members to ease on betting.
We have found that Android app vulnerable to SSL mitm attacks
(http://en.wikipedia.org/wiki/Man-in-the-middle_attack) which eventually let
attackers to gather user name-password and session hijacking capabilities
against app. users.
== Description
On misconfigured network environments it is possible to redirect HTTPS packets
over MITM tools for SSL sessions.
When we redirected our network on such a configuration we have observed that
app sends/receives user data unecrypted.
REQUEST
{
login: a...@abc.com,
password: 123456,
sessionid: 5e8c1de7-229a-49cf-a6aa-30fa9be9c41d
}
And also session-id's are vulnerable for attackers to use on their own
configurations to hijack other users' sessions.
== Affected Versions
No known version is given in app. But we provide md5 hash of the vulnerable APK
MD5 (android.apk) = 35bb423c18e7269922d9610ef050b7ae
== Fixes
No known fixes has been released yet.
Birebin.com Android App SSL certificate validation weakness
Title: Birebin.com Android App SSL certificate validation weakness
Advisory
URL:http://sceptive.com/p/birebincom-android-app-ssl-certificate-validation-weakness-
== Overview
Birebin.com is an online betting web-site which also provides Android app. for
the members to ease on betting.
We have found that Android app vulnerable to SSL mitm attacks
(http://en.wikipedia.org/wiki/Man-in-the-middle_attack) which eventually let
attackers to gather user name-password and session hijacking capabilities
against app. users.
== Description
On misconfigured network environments it is possible to redirect HTTPS packets
over MITM tools for SSL sessions.
When we redirected our network on such a configuration we have observed that
app sends/receives user data unecrypted.
REQUEST
{
Password: 123456,
UserName: a...@abc.com
}
And also Token value which is used for session awarenes is vulnerable for
attackers to use on their own configurations to hijack other users' sessions.
== Affected Version(s)
No verison is given in app. But we provide md5 hash of the vulnerable APK
MD5 (birebin-android-latest.apk) = 60bea6a1694b1ffc87c4dc3f2ba6a8be
== Fixes
No known fixes has been released yet.
