Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

ThreatMetrix SDK for iOS fails to validate SSL certificates

9

997440

Cancelled
Original poster
Oct 11, 2015
938
664
I don't know if the vulnerability is limited to particular versions of iOS, nor have I seen any list of affected apps. If your mobile computing behavior includes using untrusted networks, including public WiFi, it'd be best to change your behavior to one of avoiding them until you check with vendors as to the ThreatMetrix SDK version used, and update as necessary. This is scored as a medium severity threat.
Original Release date: 10 Jan 2017 | Last revised: 10 Jan 2017
Overview
On the iOS platform, the ThreatMetrix SDK versions prior to 3.2 fail to validate SSL certificates provided by HTTPS connections, which may allow an attacker to perform a man-in-the-middle (MITM) attack.

Description
ThreatMetrix is a security library for mobile applications, which aims to provide fraud prevention and device identity capabilities. The ThreatMetrix SDK versions prior to 3.2 do not validate SSL certificates on the iOS platform.

Impact
An attacker on the same network as or upstream from the iOS device may be able to view or modify ThreatMetrix network traffic that should have been protected by HTTPS.

Solution
Apply an update

This issue has been addressed in ThreatMetrix SDK versions 3.2 and later. Any iOS application that uses a vulnerable version of the ThreatMetrix SDK will need to be regenerated with an updated version of the library.

Avoid untrusted networks

Avoid using untrusted networks, including public WiFi. Using your device on an untrusted network increases the chance of falling victim to a MITM attack.
[...]
Click to expand...
http://www.kb.cert.org/vuls/id/767208
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back