Full Disclosure mailing list archives
GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM
From: Thierry Zoller <Thierry () Zoller lu>
Date: Tue, 13 Nov 2012 22:56:07 +0100
RANT ---- The world of mobile applications appear to have become one where vulnerability disclosure and awareness are not necessary. Until there are fully automated updates and refusal of service for outdated applications I see the need for disclosure. Who will start monitoring "Appstores" updates for signs of vulnerabilities ? Note to vulnerability researches : GMA appears to be a nice fuzzing target and in general for browser security assessments.(see below on rationale) Description ----------- GMA is known as "Good™ Mobile Access" and part of "Good for Enteprise" "The secure browser is integrated into the Good for Enterprise application, delivering a safe, intelligent user experience. Employees can launch Good’s browser directly from the Good launcher bar, as well as through links included in emails. Links to public websites will automatically launch the native browser." Title : GOOD for Enterprise GMA below 2.0.2 vulnerable to MITM URL : http://www-staging.good.com/products/good-mobile-access.php Root Cause: GMA failed to validate server authenticity when connecting through HTTPS I spotted what appears to be an undisclosed vulnerability in an enterprise mobile device management system. https://itunes.apple.com/us/app/good-for-enterprise/id333202351?mt=8 Excerpt from above : What's New in Version 2.0.2 This release addresses the following [..]- GMA now validates server authenticity when connecting through HTTPS. [..] This would imply GMA to have been vulnerable to MITM prior to version 2.0.2 Disclosure Timeline : ===================== - GOOD disclosed over iTunes on the 02.08.2012 -- http://blog.zoller.lu Thierry Zoller _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM Thierry Zoller (Nov 13)
- Re: GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM Jeffrey Walton (Nov 13)
- Re: GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM Georgi Guninski (Nov 14)
- Re: GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM Jeffrey Walton (Nov 14)
- Re: GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM Georgi Guninski (Nov 14)
- Re: GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM Jeffrey Walton (Nov 13)