Missing SSL certificate validation in MercadoLibre app for Android

1. Advisory Information

Title: Missing SSL certificate validation in MercadoLibre app for Android
Advisory ID: STIC-2014-0211
Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2
Date published: 2014-11-11
Date of last update: 2014-11-10
Vendors contacted: MercadoLibre (NASDAQ:MELI)
Release mode: Coordinated release

2. Vulnerability Information

Class: Improper Following of a Certificate's Chain of Trust [CWE-296]
Impact: Data loss
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Identifier: CVE-2014-5658

3. Vulnerability Description

MercadoLibre (NASDAQ:MELI) is an online trading company focused on enabling e-commerce and its related services in Latin America. According to the company[1] MercadoLibre is the largest e-commerce ecosystem in Latin America, offering a wide range of services to sellers and buyers throughout the region including marketplace, payments, advertising and e-building solutions. It operates in 13 countries including Argentina, Brazil, Chile, Colombia, Mexico, Peru, and Venezuela.

The company provides services to its users through a set of country-localized web applications and an Android application that is available for download in Argentina, Brasil, Chile, Colombia, Costa Rica, Ecuador, México, Panamá, Perú, Portugal, República Dominicana, Uruguay y Venezuela. As of November, 2014 the application has between 10 and 50 million installations according to Google Play statistics[2].

Vulnerable versions of the MercadoLibre's app for Andoid do not validate the SSL certificate presented by the server. This allows attackers to present fake certificates and perform Man-in-the-Middle attacks allowing them to capture user's credentials to the site and credit card information.

The vendor fixed the problem in the latest version of the applications. Users are advised to update their app as soon as possible.

4. Vulnerable packages

5. Vendor Information, Solutions and Workarounds

MercadoLibre acknowledged and fixed the vulnerability in version 3.10.6. They did so by updating the LoopJ Asynchronous Http Client library to a version that does not skip the certificate validation process by default.

To determine which version of the application you have installed on your Android device, go to "Settings|application settings|manage application" then tap on the MercadoLibre app.

6. Credits

This vulnerability was discovered and researched by Joaquín Manuel Rinaudo. The publication of this advisory was coordinated by Programa de Seguridad en TIC. Will Dormann of CERT/CC independently discovered the SSL certificate validation vulnerability using the CERT Tapioca tool.[5]

7. Technical Description

MercadoLibre Android's application uses the LoopJ Android Asynchornous HTTP client library [3] to communicate with the company's web services. HTTP requests destined to the server are passed through the MLAPIClient interface to this library, which is responsible for establishing a secure connection.

The vulnerability is found in the class AsyncHttpClient inside the loopj library, which uses the class FakeSocketFactory to set up new sockets used to connect to remote web services. The sockets created use a custom X509TrustManager named FakeTrustManager. The TrustManager's task is to verify that the SSL certificate presented by the server is valid in order to prevent Man-in-the-Middle attacks. Since FakeTrustManager is just an empty implementation, all SSL certificates presented to it will be considered valid. This allows an attacker to mount a MITM attack to capture user authentication credentials and other security-sensitive data by intercepting traffic, creating fake X509 certificates on the fly and submitting them to MercadoLibre's Android application.

8. Report Timeline

9. References

[1] About MercadoLibre http://investor.mercadolibre.com/
[2] MercadoLibre for Android https://play.google.com/store/apps/details?id=com.mercadolibre
[3] LoopJ Asyncrhonous HTTP Client https://github.com/loopj/android-async-http
[4] Programa STIC - Vulnerability Reporting and Disclosure Procedure http://www.fundacionsadosky.org.ar/procedimiento-stic
[5] Vulnerability Note VU#582497. Multiple Android applications fail to properly validate SSL certificates. http://www.kb.cert.org/vuls/id/582497
[6] Ley 25.326 de Protección de los Datos Personales, Argentina. http://www.jus.gob.ar/datos-personales/cumpli-con-la-ley/%C2%BFcuales-son-tus-obligaciones.aspx
[7] Fandango, Credit Karma Settle FTC Charges that They Deceived Consumers By Failing to Securely Transmit Sensitive Personal Information. http://www.ftc.gov/news-events/press-releases/2014/03/fandango-credit-karma-settle-ftc-charges-they-deceived-consumers
[8] Políticas de privacidad y confidencialidad de la información, MercadoLibre. http://ayuda.mercadolibre.com.ar/seguro_privacidad

10. About Fundación Dr. Manuel Sadosky

The Dr. Manuel Sadosky Foundation is a mixed (public / private) institution whose goal is to promote stronger and closer interaction between industry and the scientific-technological system in all aspects related to Information and Communications Technology (ICT). The Foundation was formally created by a Presidential Decree in 2009. Its Chairman is the Minister of Science, Technology, and Productive Innovation of Argentina; and the Vice-chairmen are the chairmen of the country’s most important ICT chambers: The Software and Computer Services Chamber (CESSI) and the Argentine Computing and Telecommunications Chamber (CICOMRA). For more information visit: http://www.fundacionsadosky.org.ar

11. Copyright Notice

The contents of this advisory are copyright (c) 2014 Fundación Sadosky and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License: http://creativecommons.org/licenses/by-nc-sa/4.0/