VIPRE Password Vault 1.100.1090 Man-In-The-Middle ≈ Packet Storm
--
https://www.info-sec.ca/advisories/Vipre-Password-Vault.html
Overview
"VIPRE Password Vault is the fast and easy way to securely manage all of your passwords without the hassle of writing them down or storing them on a spreadsheet. Whether you are logging into your favorite social media site, ordering the latest gadget from your favorite e-tailer, paying your bills online, or booking your vacation log in safely and securely using VIPRE’s new password manager."
(https://support.threattracksecurity.com/support/solutions/articles/1000104275-what-is-vipre-password-vault)
Issue
The VIPRE Password Vault iOS application (version 1.100.1090 and below, later versions have not been tested), does not validate the SSL certificate it receives when connecting to the application login server.
Impact
An attacker who can perform a man in the middle attack may present a bogus SSL certificate which the application will accept silently. Sensitive information such as passwords could be captured by an attacker without the user's knowledge.
Timeline
July 18, 2015 - Attempted to notify ThreatTrack Security via security@vipreantivirus.com
July 29, 2015 - Notified ThreatTrack Security via a contact form
July 31, 2015 - ThreatTrack Security advised that the information has been routed to the proper team for remediation
December 3, 2015 - Provided the details to CERT/CC
April 3, 2016 - Provided the details to the Apple Product Security team
June 22, 2020 - Published an advisory to document the issue
CVE-ID:
CVE-2020-14981
Gloss