CyanogenMod Android devices at MitM risk:
The report of this alleged security threat of MitM attacks comes through an anonymous security researcher who claims that the CM developers have simply "copy-pasted the sample code" which was outdated and vulnerable to an old bug opening for MitM attacks.
I was looking at HTTP component code and I was thinking I had seen this code before. I checked on GitHub and found out a tonne of others were using it" ... "If you go and create a SSL certificate for a domain you own, say evil.com and in an element of the certificate signing request such as the 'organisation name' field you put the 'value,cn=*domain name*, it will be accepted as the valid domain name for the certificate." ... "Cyanogenmod uses this implementation for its browsers so you can go now and MitM someone's phone."
The security researcher has reportedly reached out to CyanogenMod team and claims that the fix is fairly simple. However, it does remind us of the Heartbleed bug in OpenSSL which of course wasn't a case of copy-pasting case, but remained undetected for years thanks to a small team overloaded with work. These small errors or a tiny instance of negligence can expose millions of users at risk in this increasingly digital era and we are repeatedly experiencing the examples.
- Source: The Register