430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A critical MiTM flaw in AFNetworking iOS, OS X framework was fixed

Security experts at Minded Security firm have recently discovered a flaw in the popular networking library for iOS and OS X AFNetworking. The researchers Simone Bovi and Mauro Gentile at the security firm Minded Security discovered a flaw in the popular networking library for iOS and OS X AFNetworking. The researchers found the flaw while were […]

A critical MiTM flaw in AFNetworking iOS, OS X framework was fixed

Security experts at Minded Security firm have recently discovered a flaw in the popular networking library for iOS and OS X AFNetworking.

The researchers Simone Bovi and Mauro Gentile at the security firm Minded Security discovered a flaw in the popular networking library for iOS and OS X AFNetworking. The researchers found the flaw while were conducting the analysis of a mobile application for one of their clients.were conducting the analysis of a mobile application for one of their clients.

The flaw appeared very serious, popular mobile applications like Pinterest, Vine, Herokuand Simple use the networking library for iOS and OS X exposing the users to man-in-the-middle (MiTM) attacks.

flaw  iOS and OS X AFNetworking 2

The development team behind the framework AFNetworking promptly pushed a fix for the security issue.

“It turned out that because of a logic flaw in the latest version of the library, SSL MiTM attacks are feasible in apps using AFNetworking 2.5.1. The issue occurs even when the mobile application requests the library to apply checks for server validation in SSL certificates.” Bovi explained in a blog post.

The experts estimated that the security issue could affect a very high number of mobile users.
The experts observed the problem even when the mobile application requests the AFNetworking library to apply checks for server validation in SSL certificates.
As consequence, a threat actor could intercept SSL traffic by using a proxy service such as the Burp Suite.

“After a few minutes, we figured out that there was a logical bug while evaluating trust for SSL certificates, whose consequence was to completely disable SSL certificate validation,” continues the post.

The researchers Bovi and Gentile have found the details of the flaw in a Github forum post in early February, in the post it is explained that AFNetworking framework could allow connection to https servers with invalid certificates.

The flaw seems to affect the version 2.5.1 of the library that was released in January 2015.

“I have verified that a malicious proxy server can sniff all the contents of HTTPS communication in this case,” reported the Github user duttski, who devepoed a temporary patch for the issue waiting for a final fix.

The creator of the libraryMattt Thompson, who currently maintains AFNetworking, promptly released the libraryMattt Thompson, who currently maintains AFNetworking, promptly released the libraryMattt Thompson, who currently maintains AFNetworking, promptly released the Version 2.5.2 and fixed the issue by adding “test and implementation of strict default certificate validation”.

Pierluigi Paganini

(Security Affairs –  MITM,  AFNetworking)