[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Facebook Messenger (iOS) Certificate Validation Vulnerability
From: Sean Wright <swright () secureworks ! com>
Date: 2016-03-23 12:01:13
Message-ID: AAF01196463D4348B07BEA8EF813B23335774338 () ATL1EX02 ! corp ! secureworks ! net
[Download RAW message or body]
Classification: //Dell SecureWorks/Public Use:
Classification: //Dell SecureWorks/Public Use:
Advisory Information
=================
Title: Facebook Messenger (iOS) Certificate Validation Vulnerability
Advisory ID: SWRX-2016-001
Advisory URL: https://www.secureworks.com/research/swrx-2016-001
Date published: Tuesday, March 22, 2016
CVE: Not assigned
CVSS v2 base score: 5.8
Date of last update: Tuesday, March 22, 2016
Vendors contacted: Facebook, Inc.
Release mode: Coordinated
Discovered by: Sean Wright, Dell SecureWorks
Summary
========
The Facebook social networking service includes a mobile application called Messenger that \
allows users to send private messages to their Facebook contacts. Although the application uses \
HTTPS to communicate with the backend servers, insufficient validation (only when the device is \
configured to use a proxy) of the certificates returned by these servers leaves the application \
open to man-in-the-middle (MITM) attacks. SecureWorks Europe Limited is registered in England \
and Wales. Company Registration Number: 9546890 Registered address: Dell House, The Boulevard, \
Cain Road, Bracknell, Berkshire, RG12 1LF, UK. Company details for other Dell UK entities can \
be found on www.dell.co.uk.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic