Fundación Dr. Manuel Sadosky - Programa STIC Advisory www.fundacionsadosky.org.ar Missing SSL certificate validation in MercadoLibre app for Android 1. *Advisory Information* Title: Missing SSL cert validation in MercadoLibre app for Android Advisory ID: STIC-2014-0211 Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2 Date published: 2014-11-11 Date of last update: 2014-11-10 Vendors contacted: MercadoLibre (NASDAQ:MELI) Release mode: Coordinated release 2. *Vulnerability Information* Class: Improper Following of a Certificate's Chain of Trust [CWE-296] Impact: Data loss Remotely Exploitable: Yes Locally Exploitable: No CVE Identifier: CVE-2014-5658 3. *Vulnerability Description* MercadoLibre (NASDAQ:MELI) is an online trading company focused on enabling e-commerce and its related services in Latin America. According to the company[1] MercadoLibre is the largest e-commerce ecosystem in Latin America, offering a wide range of services to sellers and buyers throughout the region including marketplace, payments, advertising and e-building solutions. It operates in 13 countries including Argentina, Brazil, Chile, Colombia, Mexico, Peru, and Venezuela. The company provides services to its users through a set of country-localized web applications and an Android application that is available for download in Argentina, Brasil, Chile, Colombia, Costa Rica, Ecuador, México, Panamá, Perú, Portugal, República Dominicana, Uruguay y Venezuela. As of November, 2014 the application has between 10 and 50 million installations according to Google Play statistics[2]. Vulnerable versions of the MercadoLibre's app for Android do not validate the SSL certificate presented by the server. This allows attackers to present fake certificates and perform Man-in-the-Middle attacks allowing them to capture user's credentials to the site and credit card information. The vendor fixed the problem in the latest version of the applications. Users are advised to update their app as soon as possible. 4. *Vulnerable packages* . MercadoLibre for Android prior to 3.10.6. 5. *Vendor Information, Solutions and Workarounds* MercadoLibre acknowledged and fixed the vulnerability in version 3.10.6. They did so by updating the LoopJ Asynchronous Http Client library to a version that does not skip the certificate validation process by default. To determine which version of the application you have installed on your Android device, go to "Settings|application settings|manage application" then tap on the MercadoLibre app. 6. *Credits* This vulnerability was discovered and researched by Joaquín Manuel Rinaudo. The publication of this advisory was coordinated by Programa de Seguridad en TIC. Will Dormann of CERT/CC independently discovered the SSL certificate validation vulnerability using the CERT Tapioca tool.[5] 7. *Technical Description* MercadoLibre Android's application uses the LoopJ Android Asynchornous HTTP client library [3] to communicate with the company's web services. HTTP requests destined to the server are passed through the 'MLAPIClient' interface to this library, which is responsible for establishing a secure connection. The vulnerability is found in the class 'AsyncHttpClient' inside the loopj library, which uses the class 'FakeSocketFactory' to set up new sockets used to connect to remote web services. The sockets created use a custom X509TrustManager named 'FakeTrustManager'. The TrustManager's task is to verify that the SSL certificate presented by the server is valid in order to prevent Man-in-the-Middle attacks. Since 'FakeTrustManager' is just an empty implementation, all SSL certificates presented to it will be considered valid. This allows an attacker to mount a MITM attack to capture user authentication credentials and other security-sensitive data by intercepting traffic, creating fake X509 certificates on the fly and submitting them to MercadoLibre's Android application. 8. *Report Timeline* . 2014-09-02: Initial contact with the vendor requesting security contact information to report vulnerabilities. . 2014-09-09: Security contact information provided . 2014-09-09: Programa de Seguridad en TIC sent the vendor a description of the vulnerability notifying them also that CERT/CC[5] had published a document listing applications that failed to validate SSL certificates that included the MercadoLibre app, making the vulnerability now public. . 2014-09-09: The vendor acknowledged the vulnerability and assured that the problem was being addressed. . 2014-09-09: Programa de Seguridad en TIC sent description of the ongoing research project in which the vulnerabilitty was discovered as well as reference to the vulnerability disclosure policy and procedures[4]. . 2014-09-17: Programa de Seguridad en TIC requested an status update and estimated date for the release of a fixed version of the app. . 2014-09-17: The vendor replied that the mobile team was working on the problem, doing an assessment of the impact of the required change and that the estimated date for a fix would be determined after that. . 2014-09-17: Programa de Seguridad en TIC asks for an status update and estimated date for the release of a fixed version fo the app. . 2014-09-17: The vendor indicated that impact assessment was focused on determining the number of users that would not be able to use the fixed app due to a Certification Authority (CA) missing in older versions of the Android keystore. . 2014-09-18: Programa de Seguridad en TIC sent email detailing legal personal data protection obligations[6] that apply to companies operating in Argentina, a link to the US Federal Trade Commision case with Fandango and Credit Karma[7] and points out MercadoLibre's security clause in its own privacy policy statement[8]. Programa de Seguridad en TIC suggests that the impact of a set of users not being able to use the fixed app should be weighted against the potential business risk of leaving the entire user base of the Android app vulnerable to account hijacking attacks. . 2014-09-22: Vendor replies that the risks are clearly understood and that there is no question about whether the bug will or will not be fixed. The vulnerability WILL be fixed. For further discussion Programa de Seguridad en TIC can refer to the vendor's chief security officer. . 2014-09-22: Programa de Seguridad en TIC thanks the vendor for its prompt response and reminds that all communications regarding the report should be carried over email so they can be documented and summarized in the corresponding section of the security advisory as described in the reporter's vulnerability reporting and disclosure procedure. . 2014-09-24: Vendors informs that an updated app (version 3.10.6) fixing the SSL certificate validation problem was rolled out and was already available to 1% of the users. . 2014-09-27: The vendor informed that the MercadoLibre app version 3.10.6 was publicly available . 2014-10-24: Programa de Seguridad en TIC informs vendor that although it did not receive further information about availability of the new version of the app, it assumed that by now it was available to 100% of the affected users and therefore will proceed with the publication of the security advisory the next monday. . 2014-11-07: A new version of the MercadoLibre application was published on the Google Play market . 2014-11-11: The advisory was released. 9. *References* [1] About MercadoLibre http://investor.mercadolibre.com/ [2] MercadoLibre for Android https://play.google.com/store/apps/details?id=com.mercadolibre [3] LoopJ Asyncrhonous HTTP Client https://github.com/loopj/android-async-http [4] Programa STIC - Vulnerability Reporting and Disclosure Procedure http://www.fundacionsadosky.org.ar/procedimiento-stic [5] Vulnerability Note VU#582497. Multiple Android applications fail to properly validate SSL certificates. http://www.kb.cert.org/vuls/id/582497 [6] Ley 25.326 de Protección de los Datos Personales, Argentina. http://www.jus.gob.ar/datos-personales/cumpli-con-la-ley/%C2%BFcuales-son-tus-obligaciones.aspx [7] Fandango, Credit Karma Settle FTC Charges that They Deceived Consumers By Failing to Securely Transmit Sensitive Personal Information. http://www.ftc.gov/news-events/press-releases/2014/03/fandango-credit-karma-settle-ftc-charges-they-deceived-consumers [8] Políticas de privacidad y confidencialidad de la información, MercadoLibre. http://ayuda.mercadolibre.com.ar/seguro_privacidad 10. *About Fundación Dr. Manuel Sadosky* The Dr. Manuel Sadosky Foundation is a mixed (public / private) institution whose goal is to promote stronger and closer interaction between industry and the scientific-technological system in all aspects related to Information and Communications Technology (ICT). The Foundation was formally created by a Presidential Decree in 2009. Its Chairman is the Minister of Science, Technology, and Productive Innovation of Argentina; and the Vice-chairmen are the chairmen of the country’s most important ICT chambers: The Software and Computer Services Chamber (CESSI) and the Argentine Computing and Telecommunications Chamber (CICOMRA). For more information visit: http://www.fundacionsadosky.org.ar 11. *Copyright Notice* The contents of this advisory are copyright (c) 2014 Fundación Sadosky and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License: http://creativecommons.org/licenses/by-nc-sa/4.0/ -- Programa de Seguridad en TIC Fundación Dr. Manuel Sadosky Av. Córdoba 744 Piso 5 Oficina I TE/FAX: 4328-5164