There was recently a security vulnerability reported to the Crosswalk team. I want to talk about this vulnerability here because this is how vulnerabilities should be handled. In Intel’s Open Source Technology Center (and Intel in general), we always try to practice Responsible Disclosure. I want to sincerely thank Nightwatch Cybersecurity for working with the Crosswalk team to get this resolved.
Their disclosure to us is as follows:
Vulnerability:
==============
* Software/Product(s) containing the vulnerability:
Crosswalk project
* Please describe the vulnerability:
If an MITM proxy is used for SSL, the application shows an error message about an invalid SSL certificate. If the user presses “OK”, all future communication accepts any SSL certificate even if not valid.
Contrast this with regular Android / iOS applications where each network request re-checks if the certificate is valid.
Anyone using Crosswalk project to build an app is affected.
* How may an attacker exploit this vulnerability?
Users of app can be fooled into using the app even with an error
* What is the impact of exploiting this vulnerability?
Get user’s data
* How did you find the vulnerability?
manual test of Fastmail Android app
This issue has been resolved and is fixed in all current versions of Crosswalk. Specifically, the fix was introduced in:
- 19.49.514.5 (stable)
- 20.50.533.11 (beta)
- 21.51.546.0 (beta)
- 22.51.549.0 (canary)
These updates can be found at the following URLs:
- https://download.01.org/crosswalk/releases/crosswalk/android/stable/
- https://download.01.org/crosswalk/releases/crosswalk/android/beta/
- https://download.01.org/crosswalk/releases/crosswalk/android/canary/
The post Crosswalk security vulnerability appeared first on Intel Software and Services.