CVE-2014-7667

Vulnerability

The Coca-Cola FM Honduras (com.enyetech.radio.coca_cola.fm_hn) application version 2.0.41725 for Android does not verify X.509 certificates from SSL servers. This means the app accepts any certificate presented during an HTTPS connection without validating its chain of trust against a trusted root certificate authority. The vulnerability exists in the network communication code path of the application when it connects to its backend servers.

Exploitation

An attacker with network access (e.g., on the same Wi-Fi network as the victim) can perform a man-in-the-middle (MITM) attack. By presenting a crafted certificate (e.g., self-signed or issued by an untrusted CA) to the app, the attacker can intercept the HTTPS traffic. The attacker does not need prior authentication to the app; they only need to be positioned to intercept network packets between the Android device and the server [1].

Impact

A successful attacker can read (disclose) and potentially modify network traffic that should have been protected by HTTPS. This can lead to credential theft, exposure of personal or sensitive information, or arbitrary code execution depending on the nature of the intercepted data [1]. The attacker gains the ability to spoof the legitimate server and obtain any sensitive information transmitted by the app.

Mitigation

The vendor (Enyetech / Coca-Cola) has not released a patched version as of the publication date. The CERT/CC recommends not using the affected application and instead accessing content via a web browser, which typically implements proper SSL validation [1]. Users should uninstall the app or seek an alternative official client that correctly validates certificates.