CVE-2014-4900

Vulnerability

The migme (aka com.projectgoth) application version 4.03.002 for Android does not verify X.509 certificates from SSL servers. This flaw, a common issue in Android apps as documented in CERT/CC VU#582497 [1], means the app trusts any certificate presented by a server, including those from an attacker [1]. The affected version is 4.03.002.

Exploitation

An attacker in a position to perform a man-in-the-middle (MITM) attack — such as on the same Wi-Fi network as the device — can present a crafted SSL certificate to the app. The application will then establish a TLS session with the attacker's server, believing it is the legitimate migme backend. No user interaction is required beyond the app connecting to the server [1].

Impact

Successful exploitation allows the attacker to decrypt, inspect, and modify all HTTPS traffic between the app and the server. This can lead to theft of sensitive information including login credentials, personal messages, or any data transmitted by the app. In a broader context, such SSL validation failures enable credential theft or arbitrary code execution [1]. The attacker operates at the network layer, gaining access to data that should be protected by HTTPS.

Mitigation

As of the publication date (2014-10-21), no fixed version was announced for the migme application. Users are advised to avoid using the affected app and instead access migme services via a web browser, where proper SSL validation is enforced by the browser. The application may be unnecessary if its content is available through other means [1].