Missing SSL certificate validation in MercadoLibre app for Android [STIC-2014-0211]

Fundacion Dr. Manuel Sadosky - Programa STIC Advisory
	www.fundacionsadosky.org.ar

Missing SSL certificate validation in MercadoLibre app for Android

1. Advisory Information

Title: Missing SSL cert validation in MercadoLibre app for Android
Advisory ID: STIC-2014-0211
Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2
Date published: 2014-11-11
Date of last update: 2014-11-10
Vendors contacted: MercadoLibre (NASDAQ:MELI)
Release mode: Coordinated release

2. Vulnerability Information

Class: Improper Following of a Certificate's Chain of Trust [CWE-296]
Impact: Data loss
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Identifier: CVE-2014-5658

3. Vulnerability Description

   MercadoLibre (NASDAQ:MELI) is an online trading company focused on
   enabling e-commerce and its related services in Latin America. According
   to the company[1] MercadoLibre is the largest e-commerce ecosystem in
   Latin America, offering a wide range of services to sellers and buyers
   throughout the region including marketplace, payments, advertising and
   e-building solutions. It operates in 13 countries including Argentina,
   Brazil, Chile, Colombia, Mexico, Peru, and Venezuela.

   The company provides services to its users through a set of
   country-localized web applications and an Android application that is
   available for download in Argentina, Brasil, Chile, Colombia, Costa
   Rica, Ecuador, Mexico, Panama, Peru, Portugal, Republica Dominicana,
   Uruguay y Venezuela. As of November, 2014 the application has between 10
   and 50 million installations according to Google Play statistics[2].

   Vulnerable versions of the MercadoLibre's app for Android do not
   validate the SSL certificate presented by the server. This allows
   attackers to present fake certificates and perform Man-in-the-Middle
   attacks allowing them to capture user's credentials to the site and
   credit card information.

   The vendor fixed the problem in the latest version of the
   applications. Users are advised to update their app as soon as possible.

4. Vulnerable packages

   . MercadoLibre for Android prior to 3.10.6.

5. Vendor Information, Solutions and Workarounds

   MercadoLibre acknowledged and fixed the vulnerability in version
   3.10.6. They did so by updating the LoopJ Asynchronous Http Client
   library to a version that does not skip the certificate validation
   process by default.

   To determine which version of the application you have installed
   on your Android device, go to "Settings|application settings|manage
   application" then tap on the MercadoLibre app.

6. Credits
   This vulnerability was discovered and researched by Joaquin Manuel
   Rinaudo. The publication of this advisory was coordinated by Programa de
   Seguridad en TIC.
   Will Dormann of CERT/CC independently discovered the SSL
   certificate validation vulnerability using the CERT Tapioca tool.[5]

7. Technical Description

   MercadoLibre Android's application uses the LoopJ Android
   Asynchornous HTTP client library [3] to communicate with the company's
   web services. HTTP requests destined to the server are passed through
   the 'MLAPIClient' interface to this library, which is responsible for
   establishing a secure connection.

   The vulnerability is found in the class 'AsyncHttpClient' inside
   the loopj library, which uses the class 'FakeSocketFactory' to set up
   new sockets used to connect to remote web services. The sockets created
   use a custom X509TrustManager named 'FakeTrustManager'. The
   TrustManager's task is to verify that the SSL certificate presented by
   the server is valid in order to prevent Man-in-the-Middle attacks. Since
   'FakeTrustManager' is just an empty implementation, all SSL certificates
   presented to it will be considered valid. This allows an attacker to
   mount a MITM attack to capture user authentication credentials and other
   security-sensitive data by intercepting traffic, creating fake X509
   certificates on the fly and submitting them to MercadoLibre's Android
   application.

8. Report Timeline

. 2014-09-02:

    Initial contact with the vendor requesting security contact

information to report vulnerabilities.

. 2014-09-09:
Security contact information provided

. 2014-09-09:
Programa de Seguridad en TIC sent the vendor a description of the
vulnerability notifying them also that CERT/CC[5] had published a
document listing applications that failed to validate SSL certificates
that included the MercadoLibre app, making the vulnerability now public.

. 2014-09-09:
The vendor acknowledged the vulnerability and assured that the problem
was being addressed.

. 2014-09-09:
Programa de Seguridad en TIC sent description of the ongoing research
project in which the vulnerabilitty was discovered as well as reference
to the vulnerability disclosure policy and procedures[4].

. 2014-09-17:
Programa de Seguridad en TIC requested an status update and estimated
date for the release of a fixed version of the app.

. 2014-09-17:
The vendor replied that the mobile team was working on the
problem, doing an assessment of the impact of the required change and
that the estimated date for a fix would be determined after that.

. 2014-09-17:
Programa de Seguridad en TIC asks for an status update and estimated
date for the release of a fixed version fo the app.

. 2014-09-17:
The vendor indicated that impact assessment was focused on
determining the number of users that would not be able to use the fixed
app due to a Certification Authority (CA) missing in older versions of
the Android keystore.

. 2014-09-18:
Programa de Seguridad en TIC sent email detailing legal personal data
protection obligations[6] that apply to companies operating in
Argentina, a link to the US Federal Trade Commision case with Fandango
and Credit Karma[7] and points out MercadoLibre's security clause in its
own privacy policy statement[8].
Programa de Seguridad en TIC suggests that the impact of a set
of users not being able to use the fixed app should be weighted against
the potential business risk of leaving the entire user base of the
Android app vulnerable to account hijacking attacks.

. 2014-09-22:
Vendor replies that the risks are clearly understood and that
there is no question about whether the bug will or will not be fixed.
The vulnerability WILL be fixed. For further discussion Programa de
Seguridad en TIC can refer to the vendor's chief security officer.

. 2014-09-22:
Programa de Seguridad en TIC thanks the vendor for its prompt response
and reminds that all communications regarding the report should be
carried over email so they can be documented and summarized in the
corresponding section of the security advisory as described in the
reporter's vulnerability reporting and disclosure procedure.

. 2014-09-24:
Vendors informs that an updated app (version 3.10.6) fixing the
SSL certificate validation problem was rolled out and was already
available to 1% of the users.

. 2014-09-27:
The vendor informed that the MercadoLibre app version 3.10.6 was
publicly available

. 2014-10-24:
Programa de Seguridad en TIC informs vendor that although it did not
receive further information about availability of the new version of the
app, it assumed that by now it was available to 100% of the affected
users and therefore will proceed with the publication of the security
advisory the next monday.

. 2014-11-07:
A new version of the MercadoLibre application was published on
the Google Play market

. 2014-11-11:
The advisory was released.

9. References

[1] About MercadoLibre
http://investor.mercadolibre.com/
[2] MercadoLibre for Android
https://play.google.com/store/apps/details?id=com.mercadolibre
[3] LoopJ Asyncrhonous HTTP Client
https://github.com/loopj/android-async-http
[4] Programa STIC - Vulnerability Reporting and Disclosure Procedure
http://www.fundacionsadosky.org.ar/procedimiento-stic
[5] Vulnerability Note VU#582497. Multiple Android applications fail to
properly validate SSL certificates.
http://www.kb.cert.org/vuls/id/582497
[6] Ley 25.326 de Proteccion de los Datos Personales, Argentina.

http://www.jus.gob.ar/datos-personales/cumpli-con-la-ley/%C2%BFcuales-son-tus-obligaciones.aspx
[7] Fandango, Credit Karma Settle FTC Charges that They Deceived
Consumers By Failing to Securely Transmit Sensitive Personal Information.

http://www.ftc.gov/news-events/press-releases/2014/03/fandango-credit-karma-settle-ftc-charges-they-deceived-consumers
[8] Politicas de privacidad y confidencialidad de la informacion,
MercadoLibre.
http://ayuda.mercadolibre.com.ar/seguro_privacidad

10. About Fundacion Dr. Manuel Sadosky

The Dr. Manuel Sadosky Foundation is a mixed (public / private)
institution whose goal is to promote stronger and closer interaction
between industry and the scientific-technological system in all aspects
related to Information and Communications Technology (ICT). The
Foundation was formally created by a Presidential Decree in 2009. Its
Chairman is the Minister of Science, Technology, and Productive
Innovation of Argentina; and the Vice-chairmen are the chairmen of the
country’s most important ICT chambers: The Software and Computer
Services Chamber (CESSI) and the Argentine Computing and
Telecommunications Chamber (CICOMRA). For more information visit:
http://www.fundacionsadosky.org.ar

11. Copyright Notice

The contents of this advisory are copyright (c) 2014 Fundacion Sadosky
and are licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 4.0 License: http://creativecommons.org/licenses/by-nc-sa/4.0/

– Programa de Seguridad en TIC Fundacion Dr. Manuel Sadosky Av. Cordoba 744 Piso 5 Oficina I TE/FAX: 4328-5164