CVE-2014-7558

Vulnerability

The Everest Poker Android application (com.wEverestPoker) version 0.1 does not verify X.509 certificates from SSL servers. This means that when the app establishes an HTTPS connection, it accepts any certificate presented by the server without validating its authenticity against a trusted root certificate authority [1]. The vulnerability affects all HTTPS communications made by the app.

Exploitation

An attacker must be in a position to perform a man-in-the-middle (MITM) attack on the network used by the Android device (e.g., a rogue Wi-Fi hotspot or compromised router). The attacker can then intercept the HTTPS connection between the app and its intended server, present a crafted certificate (e.g., self-signed or issued by an untrusted CA), and the app will accept it without warning [1]. No additional authentication or user interaction is required beyond the initial network access.

Impact

A successful MITM attacker can view and modify all network traffic that the app sends and receives over HTTPS. This may include sensitive information such as login credentials, financial data, or personal details. The impact varies depending on the app's functionality; in the worst case, credential theft or arbitrary code execution could be possible [1].

Mitigation

No official fix has been released for this application. The CERT/CC recommends not using affected applications when the same content is accessible via a web browser, which typically implements proper SSL validation [1]. Users should uninstall the Everest Poker app and access any related services through a secure browser instead.