VIPRE Password Vault iOS Application - MITM SSL Certificate Vulnerability (CVE-2020-14981)

Overview

"VIPRE Password Vault is the fast and easy way to securely manage all of your passwords without the hassle of writing them down or storing them on a spreadsheet. Whether you are logging into your favorite social media site, ordering the latest gadget from your favorite e-tailer, paying your bills online, or booking your vacation log in safely and securely using VIPRE’s new password manager."

(https://support.threattracksecurity.com/support/solutions/articles/1000104275-what-is-vipre-password-vault)

Issue

The VIPRE Password Vault iOS application (version 1.100.1090 and below, later versions have not been tested), does not validate the SSL certificate it receives when connecting to the application login server.

Impact

An attacker who can perform a man in the middle attack may present a bogus SSL certificate which the application will accept silently. Sensitive information such as passwords could be captured by an attacker without the user's knowledge.

Timeline

July 18, 2015 - Attempted to notify ThreatTrack Security via security@vipreantivirus.com
July 29, 2015 - Notified ThreatTrack Security via a contact form
July 31, 2015 - ThreatTrack Security advised that the information has been routed to the proper team for remediation
December 3, 2015 - Provided the details to CERT/CC
April 3, 2016 - Provided the details to the Apple Product Security team
June 22, 2020 - Published an advisory to document the issue

CVE-ID:

CVE-2020-14981

Questions?

Contact Information

Info-Sec.CA