A malicious user could perform a Man-in-The-Middle attack to extract user’s sensitive information
Network security and ethical hacking specialists
from the International Institute of Cyber Security report the finding of a new
vulnerability in the desktop application for Windows Sky Go; the error in
question leaks multiple session data, including victim’s usernames.
Sean Wright, specialized in application
security, mentions that the vulnerability (tracked as CVE-2018-18908), is related to data transfer in plain text files.
Wright claims that the Sky Go usernames and other session data are at risk.
This desktop application performs multiple
requests via simple HTTP. Without any encryption in the corresponding place, no
information sent through these requests is reviewed or protected, which leaves
users widely vulnerable to a cyberattack, especially to Man-in-the-Middle
(MiTM) attacks, as the malicious hackers can monitor data streams without
encrypting and disrupting communication channels or stealing data.
“When Sky Go is installed and executed, the
victim’s username is found in several requests made in plaint HTTP,” reports
the network
security expert. “If an attacker accesses these requests through a MiTM
attack, they might get the victim’s username. In addition, some applications
contain information that could be used in other hacking activities”, added
Wright.
The vulnerability was discovered in May 2018
and publicly disclosed on January 2019, receiving a score of 5.4/10 on the
Common vulnerability Scoring System (CVSS) scale. The vulnerability affected
the versions between 1.0.23-1 and 1.0.19-1 of Sky Go, although the possibility
that more versions could be affected has not been ruled out.
Although Wright reported on the vulnerability
to Sky teams the same day he discovered it, the vendor took almost a week to
answer. In addition, it was claimed that the vulnerability had been corrected
on June 8 2018, although Sky released the corresponding update patch until
September 2018.
Network security experts are still unaware of
whether this flaw has already been corrected; on the other hand, Wright
mentions that Sky stopped communicating with him after they allegedly solved
the flaw, so he believes the vulnerability has not yet been corrected.
“This incident highlights the fact that some
companies, even the largest, are stagnating in the transition to HTTPS,” says
Wright. “In the cybersecurity community we hope that public disclosure of this
kind of incidents will serve companies to complete this transition shortly,”
Wright concluded.
