A vulnerability which allows a potential attacker to intercept the encrypted communication between his application gmail for Appliances iOS και το διακομιστή της Google with a man-in-the-middle (MitM) technique discovered by security researchers.
The vulnerability lies in the fact that the application does not use the legitimate certificate that validates the connection from the receiving server, a feature called certificate pinning.
Pinning in the certificate for the server will normally have to be hard-coded to allow the exchange of information only when it encounters a server-side match.
The Gmail app for iOS devices does not have this feature, so cybercriminals could use a malicious certificate to emulate the server through their systems, thus gaining access to the information in unencrypted form.
Researchers from the company Lacoon mobile security presented an attack scenario, which includes a man-in-the-middle attack. In the attack, the researchers manage to add an unauthorized CA certificate.
So when the victim runs the Gmail application, all of the application traffic is under the control of the researchers, giving them access to all communication in plain text.
Google which is usually very sensitive to themesecurity in their products, it seems that this time there is not much he can do. Lacoon mobile security said it has shared the vulnerability with Google since February 24th and no patch has been released to date.
“The Lacoon research team informed Google of this problem on 24 February. Google recognized the defect and validated it. We were told they were going to fix it but to this day, the vulnerability still exists, "said Avi Bashan.