CVE-2014-5617

Vulnerability

The Exsoul Web Browser (aka com.exsoul) version 3.3.3 for Android does not verify X.509 certificates provided by SSL servers during HTTPS connections [1]. This flaw means the application accepts any certificate presented by the server without validating it against a trusted root certificate authority. The code path is reachable whenever the browser makes an HTTPS request, which occurs for all secure web traffic within the app.

Exploitation

An attacker must be positioned on the same network as the Android device (e.g., via a rogue Wi-Fi hotspot or compromised router) to perform a man-in-the-middle (MITM) attack. The attacker presents a crafted certificate—either self-signed or issued by any arbitrary CA—to the browser when it attempts to connect to a legitimate HTTPS site [1]. Because the app does not verify the certificate chain, the malicious certificate is accepted, and the attacker can intercept, decrypt, and potentially modify the traffic between the device and the server.

Impact

A successful MITM attack allows the attacker to view and alter network traffic that should be protected by HTTPS [1]. The attacker can steal credentials, session tokens, personal information, or other sensitive data transmitted by the browser. Depending on the server's response handling, the attacker may also inject malicious content, potentially leading to arbitrary code execution in the app's context.

Mitigation

The official fix or update to version 3.3.3 or later is not explicitly stated in the available references [1]. Users should avoid using the Exsoul Web Browser for sensitive transactions. A general workaround is to uninstall the application and use a different browser that properly validates certificates, such as Chrome or Firefox, which are available via the Android system. The application may be unnecessary as its core function (browsing the web) is readily provided by more secure alternatives [1].