A popular Android app used to access corporate email, calendar and contacts via Microsoft Exchange servers is vulnerable to leaking user credentials to attackers.
The application called Nine, according to researchers at Rapid7, could allow an attacker to launch a man-in-the-middle attack, allowing them to steal corporate usernames and passwords of victims.
The Nine app, installed on as many as one million Android devices according to Google Play download data, released a Version 3.1.0 update to its application on Thursday to address the vulnerability.
Rapid7 researcher Derek Abdine discovered the vulnerability in August and publicly disclosed the bug (CVE-2016-6533) on Tuesday. The problem said Tod Beardsley, senior security research manager at Rapid7, is that the Nine app lacked certificate validation when connecting to a Microsoft Exchange server – regardless of SSL/TLS trust settings.
“Attackers can pluck names and passwords out of the traffic or snag confidential emails as they pass by. Basically it’s game over for victims,” Beardsley said.
According to Rapid7, the attacker and victim would have to share the same mobile network to carry out the vulnerability. In a likely scenario, an attacker would use a rogue Wi-Fi wireless access point (WAP) configured to capture Nine application traffic to Microsoft Exchange servers. Next, when the unsuspecting Nine user connected to that malicious access point, the attacker can intercept traffic and obtain the target’s Active Directory login credentials.
“An attacker in a privileged position within the same network as the mobile device running Nine can man-in-the-middle traffic to the remote Exchange server (such as outlook.office365.com in the case of outlook365 corporate email),” wrote Rapid7 in a blog post describing the vulnerability.
Using a common hacking tool such as a mitmproxy, a hacker can easily capture base64-encoded account credentials and decode them. “The attacker could funnel HTTPS traffic to mitmproxy which serves self-signed certificates from an otherwise invalid certificate authority,” Rapid7 wrote.
“Communication between Nine and the remote Exchange ActiveSync service may happen when the victim opens his or her phone, when an email is received (and push is enabled), or when the phone polls the remote service. All communication packets contain the victim’s credentials in a HTTP basic authentication header,” according to Rapid7.
The South Korean firm has updated its app to version 3.1.0, which includes certificate validation support that fixes the flaw, Beardsley confirmed. Because each Android handset is configured differently when it comes to automatic updates, Beardsley suggests any Nine application user should manually update their app to the latest version.