Flawed reused code opens zero-day in Cyanogenmod

An unnamed security researcher says that Cyanogenmod, the popular Android-based mobile OS, sports a zero-day vulnerability that can be misused to target users with Man-in-the-Middle attacks.

The vulnerability exists because among the additional original and third-party code implemented into the OS is also Oracle’s flawed sample code for Java 1.5 for parsing certificates to obtain hostnames.

“If you go and create a SSL certificate for a domain you own, say evil.com and in an element of the certificate signing request such as the ‘organisation name’ field you put the ‘value,cn=*domain name*, it will be accepted as the valid domain name for the certificate,” he explained to The Register’s Darren Pauli.

“Cyanogenmod uses this implementation for its browsers so you can go now and MitM someone’s phone.”

He noted that the problem can be easily fixed once the Cyanogenmod developers acknowledge and address it. They have been informed of it, but are yet to comment officially on the news.

Cyanogenmod can currently be found on over 12 million devices around the world.

The researcher, who wished to remain anonymous, says that there are many other projects (on GitHub) who used the same code, and that he had contacted them to fix the flaw.