Instapaper for Android vulnerable to man-in-the-middle attacks

Bitdefender researchers have discovered that Android app Instapaper is vulnerable to man-in-the-middle attacks that could expose users’ signup/login credentials when logging into their accounts.

Users that sign in to a Wi-Fi network that is being monitored could have usernames and passwords intercepted using a fake certificate and a traffic-intercepting tool.

“The vulnerability may have serious consequences, as while the attacker might seem to only gain access to your Instapaper account, many people use the same password for multiple accounts,” warns Catalin Cosoi, Chief Security Strategist at Bitdefender. “A cybercriminal could try and use your Instapaper password to access your social media or email accounts. Studies have shown that over 50% of users reuse the same password, so the chances are that more than one account could be vulnerable if your Instapaper credentials have been stolen.”

Instapaper allows users to save and store articles for reading, particularly for when they are offline, on the go, or simply don’t have access to the internet. The application works by saving most web pages as text only and formatting their layout for tablets or phone screens. Those who want to use the application are required to sign-up and create an account to review notes, liked articles or access other options.

“The vulnerability lies not in the way the application fetches content but in the way it implements, or in this case, doesn’t implement, certificate validation,” adds Catalin Cosoi. “Although the entire communication is handled via HTTPS, the app performs no certificate validation. If someone were to perform a man-in-the-middle attack, they could use a self-signed certificate and start ‘communicating’ with the application.”

The application sets a SSLSocketFactory and uses a TrustManager without having any implementation for certification validation. The SSLSocketFactory class is responsible for validating the HTTPS server against a list of certificates and validating the authenticity of the HTTPS server using a private key.

The implementation of this class is particularly important as it enables server authentication and guarantees that communication between the user and server is encrypted and cannot be viewed in plain text by traffic-sniffing tools.

The TrustManager checks whether the specified certificate chain can be validated and is trusted for client/server authentication for the specified authentication type. In other words, if there is no implementation for TrustManager, anyone can impersonate the Instapaper server and start collecting authentication credentials via a man-in-the-middle attack.

Share this