[Original posted here: http://ift.tt/2rscfr8] SUMMARY Google I/O 2017 Application for Android does not use SSL for retrieving some information to populate the app. This would allow an MITM attacker to inject their own content into the application. The vendor (Google) fixed the issue in v5.1.4 of the application. DETAILS The Google I/O 2017 application for Android is a companion app produced by Google for their annual I/O conference that takes place in May. This particular version was produced for I/O conference in May of 2017. While performing network level testing of various Google applications, we discovered that the content for the application did not use SSL. This would allow an MITM attacker to inject their own content into the application using a method like ARP spoofing, DNS takeover, etc. To replicate the issue on v5.03: 1. Install the application 2. Setup the proxy without an SSL certificate and point the Android device to it. 3. Go to the application and select the "feed" option (middle icon on the bottom). 4. Go back to the proxy and observe captured traffic. [Screenshots are in the blog post] The specific URL was "http://ift.tt/2pV4mdF" which then causes the device to download additional URLs. The following URLs are downloaded: - http://ift.tt/2pV4mdF - http://ift.tt/2rfNFO4 - http://ift.tt/2pVfwPk - http://ift.tt/2rgquD9 This can also be seen in the source code of the I/O 2016 application on Github here (lines 42-43): http://ift.tt/2pUQCiP -
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment