CVE-2014-7798

Vulnerability

The Coca-Cola FM Brasil (com.enyetech.radio.coca_cola.fm_br) application version 2.0.41709 for Android does not properly verify X.509 certificates from SSL servers [1]. This means the app accepts any certificate presented during an HTTPS connection, including self-signed or forged certificates. The vulnerability was identified through dynamic SSL testing as part of a broader study of Android applications [2].

Exploitation

An attacker positioned on the same network as the victim (e.g., public Wi-Fi) can perform a man-in-the-middle attack. By presenting a crafted certificate to the app, the attacker can intercept all HTTPS traffic between the app and its servers. No authentication or user interaction beyond the victim using the app is required.

Impact

Successful exploitation allows the attacker to view or modify network traffic that should have been encrypted. This could lead to disclosure of sensitive information such as login credentials, personal data, or other content transmitted by the app. The impact is limited to the data exchanged by this specific application.

Mitigation

The vendor has not released a patched version as of the publication date (2014-10-21). Users are advised to avoid using this application and instead access Coca-Cola FM Brasil content through a web browser, which typically provides proper SSL validation [1]. The app may be removed from the device to eliminate the risk.