In the mobile browser Kaspersky Safe detected dangerous vulnerability allows attackers to intercept usernames, passwords and other personal data of users. Application from the Russian “Kaspersky Lab” is designed to identify and block malicious web sites and is available for smartphones and tablets iPhone iPad.
An expert in the field of information security David Comber found the dangerous vulnerability in Kaspersky Safe Browser. The bug allows an attacker to steal the user’s personal data.
As it turned out, a “safe” browser does not validate SSL certificates when connecting to secure sites. The vulnerability (CVE-2016-6231) allows an attacker to carry out an attack “man in the middle. According to CUMBER an attacker to forge an SSL certificate for secure website which the app will accept the default. Thus an attacker can easily intercept data transmitted between the application and the server. In the hands of the attacker can be a username and password of the user.
“A hacker can conduct an attack “man in the middle”, giving the browser a fake SSL certificate, which application will take. Further, the eavesdropper can obtain access to usernames, passwords and other personal data of the user without his knowledge,” — said the expert.
Kaspersky Safe Browser is positioned developers as a free browser for safe surfing in the Internet on the iPhone, iPad and iPod touch. The software protects from going to infected and fraudulent sites, and also allows you to filter unwanted categories of websites.
23 Jun 2016 member notified about the vulnerability of the program “Kaspersky Lab”. Four days later the company confirmed in a reply to the presence of security flaws, and a month later released a browser version 1.7.0, in which the vulnerability is eliminated.
According to the statement of experts of the Laboratory, the vulnerability can be proekspluatirovat in that case, if a user opens a malicious HTTPS link that is not defined or antivirus anti-phishing filters built into the app.
