VIPRE Password Vault iOS application versions 1.100.1090 and below suffer from a man-in-the-middle vulnerability due to a lack of validation of SSL certificates.
ad2b385769262f6b82c11eb32205aa58cc8946448f0a2abb7f3f31a2dd608b59VIPRE Password Vault iOS Application - MITM SSL Certificate Vulnerability (CVE-2020-14981)
--
https://www.info-sec.ca/advisories/Vipre-Password-Vault.html
Overview
"VIPRE Password Vault is the fast and easy way to securely manage all of your passwords without the hassle of writing them down or storing them on a spreadsheet. Whether you are logging into your favorite social media site, ordering the latest gadget from your favorite e-tailer, paying your bills online, or booking your vacation log in safely and securely using VIPRE’s new password manager."
(https://support.threattracksecurity.com/support/solutions/articles/1000104275-what-is-vipre-password-vault)
Issue
The VIPRE Password Vault iOS application (version 1.100.1090 and below, later versions have not been tested), does not validate the SSL certificate it receives when connecting to the application login server.
Impact
An attacker who can perform a man in the middle attack may present a bogus SSL certificate which the application will accept silently. Sensitive information such as passwords could be captured by an attacker without the user's knowledge.
Timeline
July 18, 2015 - Attempted to notify ThreatTrack Security via security@vipreantivirus.com
July 29, 2015 - Notified ThreatTrack Security via a contact form
July 31, 2015 - ThreatTrack Security advised that the information has been routed to the proper team for remediation
December 3, 2015 - Provided the details to CERT/CC
April 3, 2016 - Provided the details to the Apple Product Security team
June 22, 2020 - Published an advisory to document the issue
CVE-ID:
CVE-2020-14981
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed