Security researcher David Coomber has unearthed a vulnerability (CVE-2016-6231) in the Kaspersky Safe Browser iOS app that effectively contradicts its name.
As it turns out, the app does not validate SSL certificates it receives when connecting to secure sites, and this could be exploited by attackers with Man-in-the-Middle capabilities to “present a bogus SSL certificate for a secure site which the application will accept silently.”
After that, all the information that is exchanged between the app and the server hosting the site can be then easily captured by the attacker – usernames and passwords come to mind.
Kaspersky Safe Browser aims to detect and blocks malicious and counterfeit websites, so fixing this vulnerability should be crucial for its effectiveness.
Kaspersky already did it, after being informed of the existence of the flaw by Coomber, and the latest version of the app (v1.7.0) is free of it, and available for download.
They also noted that “this vulnerability could have been exploited only if user opens malware HTTPS link that is not detected by antiphishing or other antimalware engines embedded in the application.”