CVE-2014-6909

Vulnerability

The Coca-Cola FM Peru application (com.enyetech.radio.coca_cola.fm_pe) version 2.0.41716 for Android does not properly verify X.509 certificates from SSL servers. This flaw was identified through dynamic SSL validation testing as part of a broader study of Android applications [1][2]. The application fails to validate the certificate chain, making HTTPS connections vulnerable to interception.

Exploitation

An attacker with network access (e.g., on the same Wi-Fi network) can perform a man-in-the-middle attack by presenting a crafted certificate. The application will accept the fraudulent certificate without proper validation, allowing the attacker to intercept and potentially modify traffic between the app and its servers.

Impact

Successful exploitation allows the attacker to view or modify network traffic that should have been protected by HTTPS. This could lead to disclosure of sensitive information such as login credentials or personal data, and in some cases, arbitrary code execution depending on the app's functionality [1].

Mitigation

The vendor has not released a patched version as of the publication date. Users are advised to avoid using the application and instead access Coca-Cola FM Peru content via a web browser, which typically provides proper SSL validation [1]. The app is listed in the CERT/CC tracking spreadsheet of vulnerable applications [2].