Title:

Broken X509TrustManager in Handelsblatt Global Edition App

Report ID

SIK-2017-046

Summary:

• Vendor: Handelsblatt GmbH
• Product: Handelsblatt Global Edition (App-Package: com.handelsblatt.ge)
• Affected Version: 1.0.6.002
• Severity: medium
• Short summary: Certificates for encrypted SSL/TLS communication are not checked properly which prones the app to man-in-the-middle attacks

Details:

When logging in, the communication between app and its backend is secured with SSL/TLS. For authentication the backend sends a certificate, which enables the client to prove that it is talking to the correct backend. The check whether the certificate is valid or not, is not properly implemented in the Handelsblatt Global Edition App. Therefore, a man-in-the-middle attacker can intercept the communication by sending his own certificate to the app.
The login process sends the following request:

GET https://api.p4plive.s4p-iapps.com/gews/v4/getAccountId?email=email%40email.
       com&password=testpw
       <- 401 text/html 401B 122ms
GET https://api.p4plive.s4p-iapps.com/gews/v4/getAccountId?email=email%40email.
       <- com&password=testpw

In the class com.iapps.p4pnext.d.k, a X509TrustManager is implemented, which does not check the certificate.
With this implementation, the app trusts every certificate:

final class k implements X509TrustManager {
    final /* synthetic */ j a;

    k(j jVar) {
        this.a = jVar;
    }

    public final void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
    }

    public final void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
    }

    public final X509Certificate[] getAcceptedIssuers() {
        return null;
    }

Workaround

Use a VPN connection when using this app.

Suggested Mitigation

Implemented a proper certificate check or use the system’s default X509TrustManager.

Timeline

• 2017-08-09 Vulnerability Discovered
• 2017-08-09: Contacted developer
• 2017-08-18: Advisory sent to developer