Bilyoner Mobile Applications SSL/TLS Attacks

Bilyoner Mobile Applications SSL/TLS Attacks: Posted May 15, 2014; Authored by Harun Esur; Bilyoner mobile applications are prone to various SSL/TLS attacks. Note that this finding houses site-specific data.; tags | advisory; advisories | CVE-2014-3750; SHA-256 | 3e4620f372271f1aafbe2da3a1493c3650555c58774e0908e18ec210054b5b02; Download | Favorite | View

Bilyoner Mobile Applications SSL/TLS Attacks

=====================================================================
                                                  Sceptive Security Advisory

Synopsis:          Bilyoner mobile apps prone to various SSL/TLS attacks
Product:             Various mobile applications
Advisory URL:    http://sceptive.com/p/bilyoner-mobile-apps-prone-to-various-ssltls-attacks
Advisory number: CVE-2014-3750
Issue date:          2014-04-02
=====================================================================

1. Summary:

Bilyoner [1] is an online betting platform for various betting options on idda [2] , spor toto [3], milli piyango [4], tjk [5].

We have found that mobile apps vulnerable to SSL/TLS attacks which eventually lets attackers to gain sensitive information and hijack user sessions.

2. Description:

On misconfigured network environments it is possible to redirect HTTPS packets over MITM tools for SSL sessions.

When we redirected our network on such a configuration we have observed that app sends/receives user data unecrypted.

REQUEST

{
    "password": "333444",
    "sessionId": "9331b4c44edf7c72f4963bc1799416bd071b5eb2aa049ad7ce968b06965f444e",
    "username": "12312312"
}

And also session-id's are vulnerable for attackers to use on their own configurations to hijack other users' sessions. Such as;

RESPONSE

{
    "bilyonerCookies": {                                                                                                   
        "JSESSIONID": "RQdFTcnPydRypLXc71kXhYjBtN5p5sGT31GN4hvRlsN8qTz2GQ2T!-1656694263",        
         "NSC_wtfswfs-ttm": "ffffffffc3a0840e45525d5f4f58455e445a4a423660"
    },                                                                                                                     
    "bilyonerSessionId": "C1yTTcnP2wSnwyV2gstRkhrsBh8dsqJfvCYBFHqTGvVwhZSYhsJM!-1656694263!1394403087638",
    "sessionId": "9331b4c44edf7c72f4963bc1799416bd071b5eb2aa049ad7ce968b06965f444e"
}

3. Solution:

For Android apps it's advised to upgrade 2.3.1. For IOS platforms 4.6.2 is available..

4. Links:

[1] http://www.bilyoner.com/
[2] http://www.iddaa.com/
[3] https://www.sportoto.gov.tr/
[4] http://www.millipiyango.gov.tr/
[5] http://www.tjk.org/EN

5. Contact:

Harun Esur <harun.esur@sceptive.com>

Copyright 2014 Sceptive <http://sceptive.com>

=====================================================================

Top Authors In Last 30 Days

Red Hat 269 files
Ubuntu 98 files
indoushka 37 files
Gentoo 29 files
Jasper Nota 25 files
Willem Westerhof 19 files
Debian 12 files
Jim Blankendaal 11 files
Apple 10 files
Martijn Baalman 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,084)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,534)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,560)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,418)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,704)
UNIX (9,432)
UnixWare (187)
Windows (6,668)
Other

Bilyoner Mobile Applications SSL/TLS Attacks

Bilyoner Mobile Applications SSL/TLS Attacks

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Bilyoner Mobile Applications SSL/TLS Attacks

Share This

Bilyoner Mobile Applications SSL/TLS Attacks

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems