CyanogenMod is one of the most popular third-party custom ROM used by Android users. The custom firmware is used on a variety of devices internationally by over 10 million users which is a vocal example of its popularity in the Android fans thanks to the level of customization it offers. However, a recent leak suggests that the ROM contains a vulnerable sample code that would expose millions of CM users to Man-in-the-Middle (MitM) attacks. This vulnerable code was copy-pasted from Oracle’s sample code for Java 1.5 for parsing certificates to obtain hostnames. The code part is vulnerable to an older bug making CyanogenMod running devices at risk too. Remember, there are a lot of other third-party custom firmwares based on CM which may contain the same sample code too.

CyanogenMod Android devices at MitM risk:

The report of this alleged security threat of MitM attacks comes through an anonymous security researcher who claims that the CM developers have simply “copy-pasted the sample code” which was outdated and vulnerable to an old bug opening for MitM attacks.

I was looking at HTTP component code and I was thinking I had seen this code before. I checked on GitHub and found out a tonne of others were using it” …  “If you go and create a SSL certificate for a domain you own, say evil.com and in an element of the certificate signing request such as the ‘organisation name’ field you put the ‘value,cn=*domain name*, it will be accepted as the valid domain name for the certificate.” … “Cyanogenmod uses this implementation for its browsers so you can go now and MitM someone’s phone.”

The security researcher has reportedly reached out to CyanogenMod team and claims that the fix is fairly simple. However, it does remind us of the Heartbleed bug in OpenSSL which of course wasn’t a case of copy-pasting case, but remained undetected for years thanks to a small team overloaded with work. These small errors or a tiny instance of negligence can expose millions of users at risk in this increasingly digital era and we are repeatedly experiencing the examples.

– Source: The Register