CVE-2014-6839

Vulnerability

The Alma Corinthiana (com.alma.corinthiana) application version 1.0 for Android does not properly verify X.509 certificates from SSL servers [1][2]. This vulnerability occurs because the app implements HTTPS connections without performing standard certificate validation checks, such as verifying the certificate chain against a trusted root CA. The app is listed among hundreds of Android applications that failed dynamic SSL validation testing performed by CERT/CC [2].

Exploitation

An attacker on the same network as the Android device (e.g., a malicious Wi-Fi hotspot or a compromised router) can perform a man-in-the-middle (MITM) attack [1]. The attacker presents a crafted certificate that the app accepts without proper validation. No user interaction beyond the normal use of the app is required; the connection is silently intercepted.

Impact

Successful exploitation allows the attacker to view or modify network traffic that should have been protected by HTTPS [1]. This can lead to credential theft, disclosure of sensitive personal information, or potentially arbitrary code execution depending on the data exchanged [1]. The impact is limited to data transmitted while the app is in use.

Mitigation

As of the publication date (2014-09-30), no official fix has been verified from the available references [1][2]. Users are advised to avoid using the app and access the same services through a web browser, which typically relies on the device's built-in certificate validation [1]. The vendor was not listed as having provided a patched version at the time of the advisory.