Over 10 million users of the widely popular custom Android ROM, Cyanogen, are vulnerable to a man-in-the-middle (MitM) attack due to the reuse of vulnerable sample code.
The zero-day vulnerability could allow an attacker to target any browser used on the popular custom Android distribution and initiate a man-in-the-middle attack.
A security researcher at a top-tier vendor, who wishes to remain unknown, told the Register that Cyanogenmod among many others Android ROM developers had taken Oracle’s older sample code for Java 1.5 for parsing certificates to obtain hostnames, and implement it. One issue, that code is has a series of vulnerabilities inside.
“I was looking at HTTP component code and I was thinking I had seen this code before,” the researcher said. “They just copy-pasted the sample code and that’s what was vulnerable. I checked on GitHub and found out a tonne of others were using it.”
As a responsible security researcher, the anonymous researcher properly disclosed the flaw to affected providers before releasing it to the public, but found no luck with the Cyanogenmod team. The researcher then chose to publicly mention to zero-day vulnerability at the Ruxcon security conference held in Melbourne Australia.
Cyanogenmod developers have since been contacted regarding the zero-day vulnerability since its public debut.
The security researcher found the set of flaws, which had been previously disclosed in 2012 as well as earlier this year in Apache HTTP libraries that lacked SSL hostname verification.
The flaw means attackers have the ability to use any hostname they wish on SSL certificates, and have it accepted by big certificate bodies, opening security holes vulnerable to man-in-the-middle attacks.
“If you go and create a SSL certificate for a domain you own, say evil.com and in an element of the certificate signing request such as the ‘organisation name’ field you put the ‘value,cn=*domain name*, it will be accepted as the valid domain name for the certificate,” he said.
“Cyanogenmod uses this implementation for its browsers so you can go now and MitM someone’s phone,” he continued.
The unnamed man said the fix was fairly simple and said the public disclosure of the vulnerability was an “academic exercise” in the perils of code reuse.
Reusing code is not a bad idea, but if unchecked it opens systems to vulnerabilities, bugs and appears to be a shortcut the developers were willing to take.