This article is more than 1 year old
Intel's Crosswalk open source dev library has serious SSL bug
You know the drill, people: patch and push
Developers using Intel's Crosswalk SSL library: it's time to patch and push out an upgrade.
Crosswalk is a cross-platform library that supports deployment to Android, iOS and Windows Phone, but the bug is Android-specific.
The library has a bug in how it handles SSL errors, and as a result, end users on Android could be tricked into accepting MITM certificates.
As consultancy Nightwatch Cyber Security explains, if a user accepts one invalid or self-signed SSL certificate, Crosswalk remembers that choice and applies it to all future certificates.
In other words, if an attacker tricked a user into accepting a bad cert from (for example) a Wi-Fi hotspot, Crosswalk would retain that choice forever, so a future MITM attack would pass without presenting any certificate warning to the end user: “This applies even to connections over different WiFi hotspots and different certificates”, the advisory states.
As with all toolchain bugs, its impact is as big as the reach of the downstream apps that use it: the number-one app in Crosswalk's showcase, “Pirate Treasures”, claims 10 million downloads, and all off the top fifteen have more than 500,000 downloads.
All three branches of Crosswalk for Android – stable, beta and “canary” – need to be upgraded, and fixed apps pushed to users. ®
Biting the hand that feeds IT
