Intel Crosswalk bug invalidates SSL protection

A bug in the Intel Crosswalk Project library for cross-platform mobile development can open users to man-in-the-middle attacks, researchers from Nightwatch Cybersecurity have found.

What is the Intel Crosswalk Project?

“The Crosswalk Project, created by Intel’s Open Source Technology Center, allows mobile developers to use HTML, CSS and Javascript to develop and deploy mobile apps across multiple platforms from the same codebase,” the researchers explained.

The project supports deployment to iOS, Windows Phone and Android, but the discovered bug affects only the Android implementation. The framework has been used to build many popular apps (predominantly games), the most popular of which has been downloaded by over 10 million users.

The bug

“When a user makes a network request, an app using the Crosswalk project shows an initial error message if an invalid SSL certificate is found. If the user selects ‘OK’, the app then accepts all future SSL certificates without validation,” Carnegie Mellon University’s CERT Coordination Center (CERT/CC) succinctly explained.

“The app does not make it clear that the dialog grants permanent permission to accept invalid certificates; the user is never prompted again.”

The researchers discovered the flaw while testing a third-party Android app using this library, and responsibly reported it to Intel so that it can get fixed before it’s discovered and exploited by someone with malicious intentions.

What to do?

App developers are advised to rebuild their apps using the latest Crosswalk versions – 19.49.514.5 (stable), 20.50.533.11 and 21.51.546.0 (beta), and 22.51.549.0 (canary).

Users of apps based on the Crosswalk framework are advised to be on the lookout for updates that fix the problem. Pushing app developers who haven’t already done it to do it as soon as possible is also a good idea.