CVE-2014-7647

Vulnerability

The BOOKING DISCOUNT application (com.wmygoodhotelscom) version 0.1 for Android fails to properly validate X.509 certificates from SSL servers. This means the app does not verify that the certificate presented by an HTTPS connection is issued by a trusted certificate authority. The vulnerability is present in the app's SSL/TLS implementation, allowing any HTTPS connection to be accepted without chain validation. [1]

Exploitation

An attacker on the same network as the Android device (e.g., a public Wi-Fi) can perform a man-in-the-middle attack by presenting a crafted certificate. The app will accept this certificate without verification, allowing the attacker to intercept and potentially modify the HTTPS traffic between the app and its servers. No special authentication or user interaction beyond the attacker being on the network is required. [1]

Impact

Successful exploitation allows the attacker to view or modify network traffic that should have been protected by HTTPS. This can lead to disclosure of sensitive information such as login credentials, personal data, or other information transmitted by the app. The impact varies based on the app's functionality; in this case, the app is for booking discounts, so financial or personal information may be at risk. [1]

Mitigation

The CERT/CC recommends not using affected applications and instead accessing the same services via a web browser, which typically has proper SSL validation. As of the publication date (2014-10-21), no patch for version 0.1 has been mentioned. Users should uninstall the app and use alternative methods. [1]