=====================================================================
Sceptive Security Advisory
Bilyoner [1] is an online betting platform for various betting options on idda [2] , spor toto [3], milli piyango [4], tjk [5].
We have found that mobile apps vulnerable to SSL/TLS attacks which eventually lets attackers to gain sensitive information and hijack user sessions.
On misconfigured network environments it is possible to redirect HTTPS packets over MITM tools for SSL sessions.
When we redirected our network on such a configuration we have observed that app sends/receives user data unecrypted.
REQUEST
{
"password": "333444",
"sessionId": "9331b4c44edf7c72f4963bc1799416bd071b5eb2aa049ad7ce968b06965f444e",
"username": "12312312"
}
And also session-id's are vulnerable for attackers to use on their own configurations to hijack other users' sessions. Such as;
RESPONSE
{
"bilyonerCookies": {
"JSESSIONID": "RQdFTcnPydRypLXc71kXhYjBtN5p5sGT31GN4hvRlsN8qTz2GQ2T!-1656694263",
"NSC_wtfswfs-ttm": "ffffffffc3a0840e45525d5f4f58455e445a4a423660"
},
"bilyonerSessionId": "C1yTTcnP2wSnwyV2gstRkhrsBh8dsqJfvCYBFHqTGvVwhZSYhsJM!-1656694263!1394403087638",
"sessionId": "9331b4c44edf7c72f4963bc1799416bd071b5eb2aa049ad7ce968b06965f444e"
}
For Android apps it's advised to upgrade 2.3.1. For IOS platforms 4.6.2 is availableβ¦
[1] http://www.bilyoner.com/
[2] http://www.iddaa.com/
[3] https://www.sportoto.gov.tr/
[4] http://www.millipiyango.gov.tr/
[5] http://www.tjk.org/EN
Harun Esur <[email protected]>
Copyright 2014 Sceptive <http://sceptive.com>
=====================================================================