CVE-2014-7337

Vulnerability

The Acorn Estate Agents application (com.acorn.ea) version 3.1 for Android does not properly validate X.509 certificates from SSL servers [1]. This means the app accepts any certificate presented by a server, including self-signed or malicious ones, without verifying the chain of trust.

Exploitation

An attacker in a position to intercept network traffic (e.g., on the same Wi-Fi network) can perform a man-in-the-middle attack by presenting a crafted certificate to the app. The app will accept this certificate and establish an HTTPS connection with the attacker's server, allowing the attacker to decrypt and potentially modify the data in transit [1]. No additional authentication or user interaction beyond normal app usage is required.

Impact

A successful attacker can view or modify network traffic that the app sends and receives over HTTPS. This could lead to disclosure of sensitive information such as login credentials, personal data, or financial details. The impact is limited to the data transmitted by the app; the attacker may also inject malicious content into the traffic [1].

Mitigation

The vendor has not released a patched version as of the publication date [1]. Users are advised to avoid using the Acorn Estate Agents app for sensitive transactions until a fix is made available. Alternatively, using a web browser to access the same services may bypass this vulnerability [1].