CVE-2014-6014

Vulnerability

The Conquest Of Fantasia application (package air.com.ingen.studios.cof.sg) version 1.0.1 for Android fails to properly verify X.509 certificates presented by HTTPS servers. This means the app does not validate whether the SSL certificate chain originates from a trusted root certificate authority, breaking the trust model of HTTPS. The vulnerable code path is reachable whenever the app makes any HTTPS connection; no special configuration is required by the user. [1]

Exploitation

An attacker must be able to perform a man-in-the-middle (MITM) attack on the network between the Android device and the target server. This is typically achieved by being on the same Wi-Fi network, or by compromising a network router or proxy. The attacker presents a crafted certificate (e.g., self-signed or from a rogue CA) during the TLS handshake. Because the app does not verify the certificate, it accepts the connection and proceeds to send data over HTTPS. [1]

Impact

A successful MITM attacker can intercept all HTTPS traffic between the app and its backend servers. This may include credentials, personal information, or other sensitive data transmitted by the app. The attacker can also read or modify the data in transit. The exact compromise depends on what the app exchanges over HTTPS; potential impacts include credential theft and, in some scenarios, arbitrary code execution if the attacker injects malicious content that the app processes. [1]

Mitigation

No fix has been released by the vendor for Conquest Of Fantasia 1.0.1. The CERT/CC recommends avoiding the use of vulnerable Android applications for sensitive transactions; users can access the same content via a web browser instead. As of the publication date (2014-09-22), this application was not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. [1]