Risk of losing login data in man-in-the-middle attack

Jun 24, 2015 12:40 GMT  ·  By

A security flaw in the mechanism used by Instapaper Android app to log in users over a secure connection allows anyone interposed between the client and the server to collect the victim’s credentials.

Instapaper offers the possibility to store online articles in a format friendly to the mobile device and read them at a later time, when Internet connection is not available. It boasts a number of installations between 100,000 and 500,000 and enjoys a fairly large amount of positive reviews, with an overall rating of 4.2 from more than 4,700 users.

Legitimacy of the server not verified

When logging in, the app sends the data over a secure HTTPS connection, which should theoretically prevent leaking credentials, but Vlad Bordianu from Bitdefender found in version 4.1.4 of the product that there was no validation of the server receiving the data.

Basically, the username and password are encrypted, but there is no verification that it reaches the intended, legitimate recipient.

“If someone were to perform a man-in-the-middle attack, he could use a self-signed certificate and start ‘communicating’ with the application,” Bitdefender said in a blog post on Tuesday.

Instapaper uses a SSLSocketFactory class, which enables encrypted data exchange based on a valid certificate; but it appears that the TrustManager used does not have an implementation for checking the legitimacy of the server.

During a man-in-the-middle attack, anyone with a trusted certificate can get the credentials of an Instapaper client and gather more information about the victim for a future, more targeted attack.

App receives update but may still be vulnerable

An attacker could also try the username and password on popular online services since a large number of users recycle their credentials for multiple accounts.

Bitdefender notified the developer about the problem but received no confirmation of the vulnerability or details on when a fix would be available.

Instapaper received an update on Tuesday to version 4.2, which solves the issue.