CVE-2014-5735

Vulnerability

The Android application "Buy A Gift" (package com.wBuyAGift, version 13529.90084) fails to properly validate X.509 certificates presented by SSL servers during HTTPS connections [1]. This means the app accepts any certificate, including those crafted by attackers, without verifying the certificate chain against a trusted root CA.

Exploitation

An attacker positioned on the same network as the victim (e.g., on a public Wi-Fi) can perform a man-in-the-middle (MITM) attack. The attacker intercepts the HTTPS connection and presents a self-signed or otherwise invalid certificate. The vulnerable app does not validate the certificate, so it proceeds with the connection, allowing the attacker to eavesdrop or modify the traffic [1].

Impact

A successful MITM attacker can spoof the legitimate server and gain access to sensitive information transmitted by the app, such as login credentials, personal data, or payment details. The impact is at the same privilege level as the app's network access; arbitrary code execution is also possible if the app handles executable content [1].

Mitigation

As of the report date (2014-09-09), no patch has been released for this application. The CERT/CC recommends that users discontinue use of the app and instead access the same services through a web browser, where proper SSL validation is handled by the Android system [1].