exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Android Adobe Air 22.0.0.153 Insecure Tranport

Android Adobe Air 22.0.0.153 Insecure Tranport
Posted Sep 15, 2016
Site wwws.nightwatchcybersecurity.com

Android applications developed with Adobe AIR send data back to Adobe servers without HTTPS while running. This can allow an attacker to compromise the privacy of the applications' users. This has been fixed in Adobe AIR SDK release version 23.0.0.257. This affects applications compiled with the Adobe AIR SDK versions 22.0.0.153 and earlier.

tags | advisory, web
advisories | CVE-2016-6936
SHA-256 | 7116841c325788e68cfc1fa448456174602554df31525c572ce4f81042034b28

Android Adobe Air 22.0.0.153 Insecure Tranport

Change Mirror Download
Original at:
https://wwws.nightwatchcybersecurity.com/2016/09/14/advisory-insecure-transmission-of-data-in-android-applications-developed-with-adobe-air-cve-2016-6936/

Summary

Android applications developed with Adobe AIR send data back to Adobe servers without HTTPS while running. This can allow an attacker to compromise the privacy of the applications users. This has been fixed in Adobe AIR SDK release v23.0.0.257.

Details

Adobe AIR is a developer product which allows the same application code to be compiled and run across multiple desktop and mobile platforms. While monitoring network traffic during testing of several Android applications we observed network traffic over HTTP without the use of SSL going to several Adobe servers including the following:

- airdownload2.adobe.com
- mobiledl.adobe.com

Because encryption is not used, this would allow a network-level attacker to observe the traffic and compromise the privacy of the applications users.

This affects applications compiled with the Adobe AIR SDK versions 22.0.0.153 and earlier.

Vendor Response

Adobe has released a fix for this issue on September 13th, 2016 in Adobe AIR SDK v23.0.0.257. Developers should update and rebuild their application using the latest SDK.

References

Adobe Security Bulletin: ASPB16-31
CVE: CVE-2016-6936

Timeline

2016-06-15: Report submitted to Adobes HackerOne program
2016-06-16: Report out of scope for this program, directed to Adobes PSIRT
2016-06-16: Submitted via email to Adobes PSIRT
2016-06-17: Reply received from PSIRT and a ticket number is assigned
2016-09-09: Response received from the vendor that the fix will be released next week
2016-09-13: Fix released
2016-09-14: Public disclosure
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close