Hole Fixed in Intel Crosswalk
Monday, August 1, 2016 @ 02:08 PM gHale
The discovered bug affects only the Android implementation. Developers used the framework to build popular apps, the most popular of which has been downloaded by over 10 million users.
“When a user makes a network request, an app using the Crosswalk project shows an initial error message if an invalid SSL certificate is found. If the user selects ‘OK,’ the app then accepts all future SSL certificates without validation,” said researchers at Carnegie Mellon University’s CERT Coordination Center (CERT/CC).
“The app does not make it clear that the dialog grants permanent permission to accept invalid certificates; the user is never prompted again,” the researchers said.
The researchers discovered the flaw while testing a third-party Android app using this library, and responsibly reported it to Intel so the industry giant can fix it before it suffers exploitation.
The issue has been resolved in Crosswalk stable 19.49.514.5. So, app developers should rebuild their apps using the latest Crosswalk versions – 19.49.514.5 (stable), 20.50.533.11 and 21.51.546.0 (beta), and 22.51.549.0 (canary).
Users of apps based on the Crosswalk framework should be watching for updates that fix the problem.