Bilyoner Mobile Applications SSL/TLS Attacks

Bilyoner Mobile Applications SSL/TLS Attacks: Posted May 15, 2014; Authored by Harun Esur; Bilyoner mobile applications are prone to various SSL/TLS attacks. Note that this finding houses site-specific data.; tags | advisory; advisories | CVE-2014-3750; SHA-256 | 3e4620f372271f1aafbe2da3a1493c3650555c58774e0908e18ec210054b5b02; Download | Favorite | View

Bilyoner Mobile Applications SSL/TLS Attacks

=====================================================================
                                                  Sceptive Security Advisory

Synopsis:          Bilyoner mobile apps prone to various SSL/TLS attacks
Product:             Various mobile applications
Advisory URL:    http://sceptive.com/p/bilyoner-mobile-apps-prone-to-various-ssltls-attacks
Advisory number: CVE-2014-3750
Issue date:          2014-04-02
=====================================================================

1. Summary:

Bilyoner [1] is an online betting platform for various betting options on idda [2] , spor toto [3], milli piyango [4], tjk [5].

We have found that mobile apps vulnerable to SSL/TLS attacks which eventually lets attackers to gain sensitive information and hijack user sessions.

2. Description:

On misconfigured network environments it is possible to redirect HTTPS packets over MITM tools for SSL sessions.

When we redirected our network on such a configuration we have observed that app sends/receives user data unecrypted.

REQUEST

{
    "password": "333444",
    "sessionId": "9331b4c44edf7c72f4963bc1799416bd071b5eb2aa049ad7ce968b06965f444e",
    "username": "12312312"
}

And also session-id's are vulnerable for attackers to use on their own configurations to hijack other users' sessions. Such as;

RESPONSE

{
    "bilyonerCookies": {                                                                                                   
        "JSESSIONID": "RQdFTcnPydRypLXc71kXhYjBtN5p5sGT31GN4hvRlsN8qTz2GQ2T!-1656694263",        
         "NSC_wtfswfs-ttm": "ffffffffc3a0840e45525d5f4f58455e445a4a423660"
    },                                                                                                                     
    "bilyonerSessionId": "C1yTTcnP2wSnwyV2gstRkhrsBh8dsqJfvCYBFHqTGvVwhZSYhsJM!-1656694263!1394403087638",
    "sessionId": "9331b4c44edf7c72f4963bc1799416bd071b5eb2aa049ad7ce968b06965f444e"
}

3. Solution:

For Android apps it's advised to upgrade 2.3.1. For IOS platforms 4.6.2 is available..

4. Links:

[1] http://www.bilyoner.com/
[2] http://www.iddaa.com/
[3] https://www.sportoto.gov.tr/
[4] http://www.millipiyango.gov.tr/
[5] http://www.tjk.org/EN

5. Contact:

Harun Esur <harun.esur@sceptive.com>

Copyright 2014 Sceptive <http://sceptive.com>

=====================================================================

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Bilyoner Mobile Applications SSL/TLS Attacks

Bilyoner Mobile Applications SSL/TLS Attacks

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Bilyoner Mobile Applications SSL/TLS Attacks

Share This

Bilyoner Mobile Applications SSL/TLS Attacks

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems