CVE-2014-7002

Vulnerability

The Sopexa Pavillon France (com.goomeoevents.pavillonfrance) application version 3.6.5 for Android fails to properly verify X.509 certificates presented by SSL servers [1]. This means the app accepts any certificate without checking if it is issued by a trusted Certificate Authority, leaving HTTPS connections unverified.

Exploitation

An attacker positioned on the same network as the Android device (e.g., via rogue Wi-Fi hotspot) can perform a man-in-the-middle attack by presenting a crafted certificate [1]. The app will accept this certificate and establish an HTTPS connection, allowing the attacker to intercept or modify traffic [1].

Impact

A successful attacker can obtain sensitive information transmitted by the app, such as credentials or other personal data [1]. The impact depends on what data the app exchanges, but could include credential theft or arbitrary code execution if the app delivers code via HTTPS [1].

Mitigation

Users should avoid using this application for sensitive transactions and instead access the service via a web browser [1]. No patch has been announced as of the publication date. The app is listed among other vulnerable Android apps in the CERT/CC tracking spreadsheet [2].