Kaspersky Safe Browser iOS Application - MITM SSL Certificate Vulnerability (CVE-2016-6231)
"Stay safe from malicious links, suspicious content and identity theft while you surfing the Internet."
"Our Safe Browser covers the original iPhone & iPad web browser and detects & blocks phishing sites that can steal your money & your account details, eliminates
unwanted content & notifies about spam links - for you to surf the web without frontiers… safely."
"You will get:
- Advanced Anti-Phishing to effectively block fake websites
- Proactive detection of fraudulent links / URLs - powered by the cloud
- Content filtering to choose & block specific categories of unwanted info
- Safe internet browsing across Google, Bing, Yandex and Yahoo search engines"
The Kaspersky Safe Browser iOS application (version 1.6.0 and below), does not validate SSL certificates it receives when connecting to secure sites.
An attacker who can perform a man in the middle attack may present a bogus SSL certificate for a secure site which the application will accept silently.
Usernames, passwords and sensitive information could be captured by an attacker without the user's knowledge.
June 23, 2016 - Notified Kaspersky via firstname.lastname@example.org
June 23, 2016 - Kaspersky responded that they will investigate
June 27, 2016 - Kaspersky confirmed the vulnerability and advised that the issue would be resolved in the next release
June 27, 2016 - Asked for a timeline when the new version would be released
June 30, 2016 - Kaspersky responded stating that they do not yet have a release date
July 18, 2016 - Kaspersky advised that the update is scheduled to be released at the end of July
July 28, 2016 - Kaspersky released version 1.7.0 which resolves this vulnerability
Upgrade to version 1.7.0 or later
Kaspersky's Pwnie Nomination For Most Epic FAIL