BlackBerry has patched a vulnerability in its BlackBerry 10 devices that could allow an attacker to intercept users’ traffic to and from the BlackBerry World app store and potentially install malware on a targeted device.
The vulnerability is a weakness in the integrity checking system that BlackBerry uses to verify the apps that users download. If an attacker is able to gain a man-in-the-middle position between a user and the BlackBerry World servers, he could replace the legitimate requested app with malware. BlackBerry officials say that the vulnerability only affects the devices running BlackBerry 10, and recommend that install the new version of the World app as soon as possible.
“A vulnerability exists in the BlackBerry World service’s download mechanism, which is used by the BlackBerry World app on affected BlackBerry 10 smartphones. BlackBerry World allows you to search for and download apps for your BlackBerry device. BlackBerry World employs application integrity checking and secure download methods to ensure that the correct app is downloaded and installed,” the BlackBerry advisory says. “
In some cases, a weakness in these methods could allow an attacker, through a man-in-the-middle attack, to intercept a user’s BlackBerry World application download and, as a result, install malware on the device. Successful exploitation of this vulnerability could potentially result in an attacker gaining access to any data or settings that are accessible through the permissions that the user accepted when installing the malicious app.”
The vulnerability affects versions 10.2, 10.2.1 and 10.3 of the BlackBerry World app. The company said that user communications with BlackBerry World now are done over SSL, which can help protect against MITM attacks.