CVE-2014-7484

Vulnerability

The Coca-Cola FM Guatemala application (com.enyetech.radio.coca_cola.fm_gu) version 2.0.41725 for Android does not properly validate X.509 certificates presented by SSL servers [1]. This means the app accepts any certificate, including self-signed or forged ones, when establishing HTTPS connections. The official description [1] confirms this flaw applies to the specified version.

Exploitation

An attacker in a man-in-the-middle (MITM) position on the same network as the victim's Android device can present a crafted certificate to the application [1]. No prior authentication or user interaction beyond normal app use is required; the attacker simply intercepts the SSL handshake and supplies a fraudulent certificate, which the app accepts without verification [1].

Impact

By exploiting this flaw, an attacker can spoof legitimate servers and intercept or modify HTTPS traffic [1]. Sensitive information transmitted through the app, such as login credentials or personal data, can be disclosed. The impact is partially mitigated by what the application communicates, but credential theft or further compromise is possible [1].

Mitigation

The referenced CERT/CC note advises that users should avoid using affected applications if possible and access the same content via a web browser instead [1]. No specific patch or fixed version has been identified for this application. Users are recommended to uninstall the app until a security update is provided [1].