CyanogenMod allegedly susceptible to Man-in-the-Middle attacks due to negligence
Being the most popular 3rd-party ROM for Android, CyanogenMod surely basks in a lot of popularity from those Android users who are into custom firmwares. Unfortunately though, it appears that the ROM might pose a lot of security threats to its users, as it is allegedly susceptible to MitM (Man in the Middle) attacks. Discovered by an anonymous security researcher, the breach has the potential to bring some trouble in paradise for those who make use of CyanogenMod and the numerous other ROMs that derive from it.
The reason for this extremely serious breach is pure negligence. See, the researcher claims the team behind CyanogenMod has just “copy-pasted” an outdated code sample of Oracle's Java 1.5. The code is used so as to parse certificates and take cold of hostnames, but suffers from an old bug and is by no means resistant to MitM attacks.
The anonymous researcher has subsequently tried to reach up to Cyanogen and inform them about the gaping hole in CyanogenMod's security. Hopefully, the team behind the popular ROM has undertaken the necessary actions and will fix the flaw.
"I was looking at HTTP component code and I was thinking I had seen this code before. I checked on GitHub and found out a tonne [sic] of others were using it," the anonymous security insider revealed. "If you go and create a SSL certificate for a domain you own, say evil.com and in an element of the certificate signing request such as the 'organisation name' field you put the 'value,cn=*domain name*, it will be accepted as the valid domain name for the certificate."
The anonymous researcher has subsequently tried to reach up to Cyanogen and inform them about the gaping hole in CyanogenMod's security. Hopefully, the team behind the popular ROM has undertaken the necessary actions and will fix the flaw.
source: The Register via AmongTech
Things that are NOT allowed: