CVE-2014-7015

Vulnerability

The JJ Texas Hold'em Poker application (package cn.jj.poker) version 1.13.23.HD for Android does not verify X.509 certificates from SSL servers. This means the app accepts any certificate presented during an HTTPS connection without checking its validity against a trusted root certificate authority. The vulnerability is present in the specified version and likely in other versions as well, as noted in the CERT/CC vulnerability note [1] and the associated spreadsheet of failing apps [2].

Exploitation

An attacker must be on the same network as the Android device (e.g., a public Wi-Fi hotspot) to perform a man-in-the-middle (MITM) attack. The attacker can present a crafted certificate to the app, which the app will accept without validation. This allows the attacker to intercept and potentially modify the HTTPS traffic between the app and its servers.

Impact

Successful exploitation allows the attacker to view or modify network traffic that should have been protected by HTTPS. This can lead to the disclosure of sensitive information such as login credentials, personal data, or financial details. The impact varies based on what the app transmits, but the CERT/CC notes that credential stealing or arbitrary code execution are possible outcomes [1].

Mitigation

No official fix has been released for this application. The CERT/CC recommends not using affected applications and instead accessing the same content via a web browser, which typically implements proper SSL validation [1]. Users should uninstall the JJ Texas Hold'em Poker app until a patched version is made available.