Fundación Dr. Manuel Sadosky - Programa STIC Advisory
    www.fundacionsadosky.org.ar

Missing SSL certificate validation in MercadoLibre app for Android

1. *Advisory Information*

Title: Missing SSL cert validation in MercadoLibre app for Android
Advisory ID: STIC-2014-0211
Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2
Date published: 2014-11-11
Date of last update: 2014-11-10
Vendors contacted: MercadoLibre (NASDAQ:MELI)
Release mode: Coordinated release


2. *Vulnerability Information*

Class: Improper Following of a Certificate's Chain of Trust [CWE-296]
Impact: Data loss
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Identifier: CVE-2014-5658


3. *Vulnerability Description*

   MercadoLibre (NASDAQ:MELI) is an online trading company focused on
enabling e-commerce and its related services in Latin America. According
to the company[1] MercadoLibre is the largest e-commerce ecosystem in
Latin America, offering a wide range of services to sellers and buyers
throughout the region including marketplace, payments, advertising and
e-building solutions. It operates in 13 countries including Argentina,
Brazil, Chile, Colombia, Mexico, Peru, and Venezuela.

    The company provides services to its users through a set of
country-localized web applications and an Android application that is
available for download in Argentina, Brasil, Chile, Colombia, Costa
Rica, Ecuador, México, Panamá, Perú, Portugal, República Dominicana,
Uruguay y Venezuela. As of November, 2014 the application has between 10
and 50 million installations according to Google Play statistics[2].

    Vulnerable versions of the MercadoLibre's app for Android do not
validate the SSL certificate presented by the server. This allows
attackers to present fake certificates and perform Man-in-the-Middle
attacks allowing them to capture user's credentials to the site and
credit card information.

    The vendor fixed the problem in the latest version of the
applications. Users are advised to update their app as soon as possible.


4. *Vulnerable packages*

   . MercadoLibre for Android prior to 3.10.6.

5. *Vendor Information, Solutions and Workarounds*

     MercadoLibre acknowledged and fixed the vulnerability in version
3.10.6. They did so by updating the LoopJ Asynchronous Http Client
library to a version that does not skip the certificate validation
process by default.

      To determine which version of the application you have installed
on your Android device, go to "Settings|application settings|manage
application" then tap on the MercadoLibre app.


6. *Credits*
This vulnerability was discovered and researched by Joaquín Manuel
Rinaudo. The publication of this advisory was coordinated by Programa de
Seguridad en TIC.
      Will Dormann of CERT/CC independently discovered the SSL
certificate validation vulnerability using the CERT Tapioca tool.[5]

7. *Technical Description*

      MercadoLibre Android's application uses the LoopJ Android
Asynchornous HTTP client library [3] to communicate with the company's
web services. HTTP requests destined to the server are passed through
the 'MLAPIClient' interface to this library, which is responsible for
establishing a secure connection.

      The vulnerability is found in the class 'AsyncHttpClient' inside
the loopj library, which uses the class 'FakeSocketFactory' to set up
new sockets used to connect to remote web services. The sockets created
use a custom X509TrustManager named 'FakeTrustManager'. The
TrustManager's task is to verify that the SSL certificate presented by
the server is valid in order to prevent Man-in-the-Middle attacks. Since
'FakeTrustManager' is just an empty implementation, all SSL certificates
presented to it will be considered valid. This allows an attacker to
mount a MITM attack to capture user authentication credentials and other
security-sensitive data by intercepting traffic, creating fake X509
certificates on the fly and submitting them to MercadoLibre's Android
application.


8. *Report Timeline*

. 2014-09-02:

        Initial contact with the vendor requesting security contact
information to report vulnerabilities.

. 2014-09-09:
        Security contact information provided

. 2014-09-09:
  Programa de Seguridad en TIC sent the vendor a description of the
vulnerability notifying them also that CERT/CC[5] had published a
document listing applications that failed to validate SSL certificates
that included the MercadoLibre app, making the vulnerability now public.

. 2014-09-09:
  The vendor acknowledged the vulnerability and assured that the problem
was being addressed.

. 2014-09-09:
  Programa de Seguridad en TIC sent description of the ongoing research
project in which the vulnerabilitty was discovered as well as reference
to the vulnerability disclosure policy and procedures[4].

. 2014-09-17:
  Programa de Seguridad en TIC requested an status update and estimated
date for the release of a fixed version of the app.

. 2014-09-17:
           The vendor replied that the mobile team was working on the
problem, doing an assessment of the impact of the required change and
that the estimated date for a fix would be determined after that.

. 2014-09-17:
  Programa de Seguridad en TIC asks for an status update and estimated
date for the release of a fixed version fo the app.

. 2014-09-17:
        The vendor indicated that impact assessment was focused on
determining the number of users that would not be able to use the fixed
app due to a Certification Authority (CA) missing in older versions of
the Android keystore.

. 2014-09-18:
  Programa de Seguridad en TIC sent email detailing legal personal data
protection obligations[6] that apply to companies operating in
Argentina, a link to the US Federal Trade Commision case with Fandango
and Credit Karma[7] and points out MercadoLibre's security clause in its
own privacy policy statement[8].
        Programa de Seguridad en TIC suggests that the impact of a set
of users not being able to use the fixed app should be weighted against
the potential business risk of leaving the entire user base of the
Android app vulnerable to account hijacking attacks.

. 2014-09-22:
       Vendor replies that the risks are clearly understood and that
there is no question about whether the bug will or will not be fixed.
The vulnerability WILL be fixed. For further discussion Programa de
Seguridad en TIC can refer to the vendor's chief security officer.


. 2014-09-22:
  Programa de Seguridad en TIC thanks the vendor for its prompt response
and reminds that all communications regarding the report should be
carried over email so they can be documented and summarized in the
corresponding section of the security advisory as described in the
reporter's vulnerability reporting and disclosure procedure.

. 2014-09-24:
       Vendors informs that an updated app (version 3.10.6) fixing the
SSL certificate validation problem was rolled out and was already
available to 1% of the users.

. 2014-09-27:
       The vendor informed that the MercadoLibre app version 3.10.6 was
publicly available

. 2014-10-24:
  Programa de Seguridad en TIC informs vendor that although it did not
receive further information about availability of the new version of the
app, it assumed that by now it was available to 100% of the affected
users and therefore will proceed with the publication of the security
advisory the next monday.

. 2014-11-07:
        A new version of the MercadoLibre application was published on
the Google Play market

. 2014-11-11:
        The advisory was released.

9. *References*

[1] About MercadoLibre
    http://investor.mercadolibre.com/
[2] MercadoLibre for Android
    https://play.google.com/store/apps/details?id=com.mercadolibre
[3] LoopJ Asyncrhonous HTTP Client
    https://github.com/loopj/android-async-http
[4] Programa STIC - Vulnerability Reporting and Disclosure Procedure
    http://www.fundacionsadosky.org.ar/procedimiento-stic
[5] Vulnerability Note VU#582497. Multiple Android applications fail to
properly validate SSL certificates.
    http://www.kb.cert.org/vuls/id/582497
[6] Ley 25.326 de Protección de los Datos Personales, Argentina.

http://www.jus.gob.ar/datos-personales/cumpli-con-la-ley/%C2%BFcuales-son-tus-obligaciones.aspx
[7] Fandango, Credit Karma Settle FTC Charges that They Deceived
Consumers By Failing to Securely Transmit Sensitive Personal Information.

http://www.ftc.gov/news-events/press-releases/2014/03/fandango-credit-karma-settle-ftc-charges-they-deceived-consumers
[8] Políticas de privacidad y confidencialidad de la información,
MercadoLibre.
    http://ayuda.mercadolibre.com.ar/seguro_privacidad

10. *About Fundación Dr. Manuel Sadosky*

The Dr. Manuel Sadosky Foundation is a mixed (public / private)
institution whose goal is to promote stronger and closer interaction
between industry and the scientific-technological system in all aspects
related to Information and Communications Technology (ICT). The
Foundation was formally created by a Presidential Decree in 2009. Its
Chairman is the Minister of Science, Technology, and Productive
Innovation of Argentina; and the Vice-chairmen are the chairmen of the
country’s most important ICT chambers: The Software and Computer
Services Chamber (CESSI) and the Argentine Computing and
Telecommunications Chamber (CICOMRA). For more information visit:
http://www.fundacionsadosky.org.ar

11. *Copyright Notice*

The contents of this advisory are copyright (c) 2014 Fundación Sadosky
and are licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 4.0 License: http://creativecommons.org/licenses/by-nc-sa/4.0/

-- 
Programa de Seguridad en TIC
Fundación Dr. Manuel Sadosky
Av. Córdoba 744 Piso 5 Oficina I
TE/FAX: 4328-5164