Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31008
HistoryAug 18, 2014 - 12:00 a.m.

Outlook.com for Android fails to validate server certificates

2014-08-1800:00:00
vulners.com
40
JSON

Outlook.com for Android fails to validate server certificates

Yorick Koster, April 2014

Abstract

Outlook.com for Android's WebView contains an insecure SSL error handler
that ignores any certificate validation errors. Due to this, it is
possible to perform a man in the middle attack against this app. The
vulnerable component is uses to log into outlook.com. A successful
attack allows sniffing of login credentials (user name & password).

Demonstration:
http://vimeo.com/101999863

Tested versions

This issue was found in Outlook.com for Android version 7.8.2.12.49.2176
and version 7.8.2.12.49.6434.

See also

  • CVE-2014-5239 [2]
  • JVNDB-2014-000086 [3] Outlook.com for Android contains an issue where
    it fails to verify SSL server certificates

Fix

A new version (7.8.2.12.49.7090) of Outlook.com for Android was released
in which the affected SSL error handler is no longer present. The latest
version of Outlook.com for Android can be obtained from Google Play [4]

Introduction

When logging into outlook.com, Outlook.com for Android will load
login.live.com in a WebView. This WebView has implemented a custom SSL
error handler [5], which basically ignores any certificate validation
errors.

Insecure error handler

The affected SSL error handler can be found in the
AuthorizationWebViewClient inner class of
com.microsoft.live.AuthorizationRequest$OAuthDialog. The relevant code
is listed below.

public void onReceivedSslError(WebView paramWebView, SslErrorHandler
paramSslErrorHandler, SslError paramSslError)
{
AuthorizationRequest.OAuthDialog.this.setLiveSdkProvProgressStatus(false);
paramSslErrorHandler.proceed();
}

As can be seen in this listing, the method gets an SslErrorHandler
instance named paramSslErrorHandler. The handler calls proceed() [6],
which will ignore any certificate error and the connection will be
created. Due to this, any invalid certificate will also be accepted,
even the attacker's certificate rendering the app vulnerable to man in
the middle attacks. Since this issue exists within a login component, it
is possible to steal Microsoft account login credentials, which is
usually an Outlook.com email address and password.

References

[1] http://www.securify.nl/advisory/SFY20140403/outlook_com_for_android_fails_to_validate_server_certificates.html
[2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5239
[3] http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000086.html
[4] https://play.google.com/store/apps/details?id=com.outlook.Z7
[5] http://developer.android.com/reference/android/webkit/WebViewClient.html#onReceivedSslError%28android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError%29
[6] http://developer.android.com/reference/android/webkit/SslErrorHandler.html#proceed%28%29

Related

prion 1
jvn 1
cve 1
securityvulns 1
prion
prion
Design/Logic Flaw
2014-08-14 05:01:00
jvn
jvn
JVN#72950786: Outlook.com for Android contains an issue where it fails to verify SSL server certificates
2014-07-30 00:00:00
cve
cve
CVE-2014-5239
2014-08-14 05:01:00
securityvulns
securityvulns
Outlook.com for Android insufficient certificate validation
2014-08-18 00:00:00
JSON
Related for SECURITYVULNS:DOC:31008
prion1jvn1cve1securityvulns1