Menu
Company

CyanogenMod Exposed to Man-in-the-Middle Attacks – Another Case of Coder Negligence

Rafia Shaikh
Oct 13, 2014, 08:29 PM EDT
CyanogenMod is one of the most popular third-party custom ROM used by Android users. The custom firmware is used on a variety of devices internationally by over 10 million users which is a vocal example of its popularity in the Android fans thanks to the level of customization it offers. However, a recent leak suggests that the ROM contains a vulnerable sample code that would expose millions of CM users to Man-in-the-Middle (MitM) attacks. This vulnerable code was copy-pasted from Oracle's sample code for Java 1.5 for parsing certificates to obtain hostnames. The code part is vulnerable to an older bug making CyanogenMod running devices at risk too. Remember, there are a lot of other third-party custom firmwares based on CM which may contain the same sample code too.cyanogenmod mitm

CyanogenMod Android devices at MitM risk:

The report of this alleged security threat of MitM attacks comes through an anonymous security researcher who claims that the CM developers have simply "copy-pasted the sample code" which was outdated and vulnerable to an old bug opening for MitM attacks.

I was looking at HTTP component code and I was thinking I had seen this code before. I checked on GitHub and found out a tonne of others were using it" ...  "If you go and create a SSL certificate for a domain you own, say evil.com and in an element of the certificate signing request such as the 'organisation name' field you put the 'value,cn=*domain name*, it will be accepted as the valid domain name for the certificate." ... "Cyanogenmod uses this implementation for its browsers so you can go now and MitM someone's phone."

The security researcher has reportedly reached out to CyanogenMod team and claims that the fix is fairly simple. However, it does remind us of the Heartbleed bug in OpenSSL which of course wasn't a case of copy-pasting case, but remained undetected for years thanks to a small team overloaded with work. These small errors or a tiny instance of negligence can expose millions of users at risk in this increasingly digital era and we are repeatedly experiencing the examples.

Source: The Register

A message from our sponsor

Further Reading

WccfTech Tv
Subscribe
02:37
Intel 13th Gen Raptor Lake CPUs & Z790 Motherboards Rumored To Launch on 17th October
02:48
Intel Xeon W9-3495 Sapphire Rapids HEDT CPU Spotted – Rocks 56 Cores, 112 Threads
02:32
GeForce RTX 4090 Graphics Card Allegedly Delivers Over 160 FPS In Control With RT & DLSS at 4K
01:41
NVIDIA GeForce RTX 4090 Graphics Card Almost Twice As Fast As RTX 3090 In 3DMark Time Spy Benchmark
02:49
Intel’s High-End Arc A750 Limited Edition Desktop Graphics Card Pictured, Sleek Reference Design
02:25
UP 4000, an Intel-based Raspberry Pi alternative is currently available for around $116
02:56
NVIDIA GeForce RTX 4090 Ti & RTX 4090 Graphics Card Renders Point To 3-Slot Founders Edition Cooler
03:24
Alleged Intel Raptor Lake Core i9-13900 CPU With 24 Cores & 32 Threads Spotted
01:39
AMD Radeon HD 7970, The World’s First DX12 GPU, Receives Adrenalin 22.6.1 WHQL Driver
02:12
China’s Domestic NVMe SSD Controller Manufacturer To Launch 14.5 GB/s PCIe Gen 5.0 Solution In 2023
02:39
MSI Demonstrates 5.1 GHz Intel Alder Lake Non-K CPU Overclocking on MAG B660M Mortar Motherboard
02:22
ZOTAC Unveils VR GO 4.0: An NVIDIA RTX GPU Equipped Backpack For Wireless VR Gaming
02:08
AYN Loki With Intel Alder Lake CPU/AMD Zen3+ Next-Gen Handheld PC Announced
01:32
Gigabyte Is AMD AM5 Socket Ready With All Of Its Air & Liquid Coolers Offering Full Compatibility
02:23
AMD Ryzen 9 7950X With 16 Zen 4 Cores Shows Up In AM5 ‘LGA 1718’ CPU Installation Video Guide
Filter videos by
Order