openMF/mifos-mobile disabled hostname verification and used an insecure
TrustManager for HTTPS connections making clients vulnerable a to machine-in-the-middle attack (MiTM).
The SelfServiceOkHttpClient class disables hostname verification by using a hostname verifier that accepts all hostnames by always returning
true. The method also uses an insecure
TrustManager that trusts all certificates even self-signed certificates.
Disabled hostname verification allows an attacker to use any valid certificate when intercepting a connection. Even when the hostname of the certificate does NOT match the hostname of the connection.
TrustManager allows an attacker to create a self-signed certificate that matches the hostname of the intercepted connection.
- 2020-10-18: Asked to open a security advisory.
- 2021-03-19: CVE id is shared with me.
- 2021-03-14: Issue is patched.
- 2021-03-22: Advisory is published.
This issue was discovered and reported by @intrigus-lgtm.
You can contact the ISL at
firstname.lastname@example.org. Please include a reference to
ISL-2020-008 in any communication regarding this issue.