exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

VIPRE Password Vault 1.100.1090 Man-In-The-Middle

VIPRE Password Vault 1.100.1090 Man-In-The-Middle
Posted Jul 6, 2020
Authored by David Coomber

VIPRE Password Vault iOS application versions 1.100.1090 and below suffer from a man-in-the-middle vulnerability due to a lack of validation of SSL certificates.

tags | advisory
systems | ios
advisories | CVE-2020-14981
SHA-256 | ad2b385769262f6b82c11eb32205aa58cc8946448f0a2abb7f3f31a2dd608b59

VIPRE Password Vault 1.100.1090 Man-In-The-Middle

Change Mirror Download
VIPRE Password Vault iOS Application - MITM SSL Certificate Vulnerability (CVE-2020-14981)
--
https://www.info-sec.ca/advisories/Vipre-Password-Vault.html

Overview
"VIPRE Password Vault is the fast and easy way to securely manage all of your passwords without the hassle of writing them down or storing them on a spreadsheet. Whether you are logging into your favorite social media site, ordering the latest gadget from your favorite e-tailer, paying your bills online, or booking your vacation log in safely and securely using VIPRE’s new password manager."

(https://support.threattracksecurity.com/support/solutions/articles/1000104275-what-is-vipre-password-vault)

Issue
The VIPRE Password Vault iOS application (version 1.100.1090 and below, later versions have not been tested), does not validate the SSL certificate it receives when connecting to the application login server.

Impact
An attacker who can perform a man in the middle attack may present a bogus SSL certificate which the application will accept silently. Sensitive information such as passwords could be captured by an attacker without the user's knowledge.

Timeline
July 18, 2015 - Attempted to notify ThreatTrack Security via security@vipreantivirus.com
July 29, 2015 - Notified ThreatTrack Security via a contact form
July 31, 2015 - ThreatTrack Security advised that the information has been routed to the proper team for remediation
December 3, 2015 - Provided the details to CERT/CC
April 3, 2016 - Provided the details to the Apple Product Security team
June 22, 2020 - Published an advisory to document the issue

CVE-ID:
CVE-2020-14981
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    6 Files
  • 18
    Aug 18th
    4 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close