0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
CIRA Canadian Shield iOS Application - Man-In-The-Middle SSL Certificate Vulnerability
Author
Risk
[Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
CIRA Canadian Shield iOS Application - MITM SSL Certificate Vulnerability (CVE-2021-27189) -- https://www.info-sec.ca/advisories/CIRA-Canadian-Shield.html Overview "CIRA Canadian Shield protects you from online threats such as malicious domains, phishing websites and helps to keep your personal data private. It also provides DNS privacy by keeping your DNS requests in Canada. This app works by changing your phone's DNS settings to run your requests through CIRA's Canadian server network." (https://apps.apple.com/ca/app/cira-canadian-shield/id1499859661) Issue The Canadian Internet Registration Authority (CIRA) Canadian Shield iOS application (version 4.0.12 and below), does not validate the SSL certificate it receives when connecting to the application server. Impact An attacker who can perform a man in the middle attack may present a bogus SSL certificate which the application will accept silently. Sensitive information could be captured by an attacker without the user's knowledge. Timeline December 22, 2020 - Attempted to obtain a security contact via a form on cira.ca December 23, 2020 - Asked for a security contact via an email to canadianshield@cira.ca December 23, 2020 - CIRA support asked for details which they will forward to the right team December 28, 2020 - Asked for a security contact via an email to security@cira.ca December 30, 2020 - Asked the Canadian Centre for Cyber Security (CCCS) if they could connect me with security contact at CIRA December 31, 2020 - CCCS responded that they will attempt to connect me with a security contact at CIRA January 4, 2021 - A security contact at CIRA confirmed that security@cira.ca is the correct address to send the details January 4, 2021 - Provided the details to CIRA via security@cira.ca January 5, 2021 - CIRA confirmed receipt of the details February 1, 2021 - CIRA confirmed the issue and stated they are working on an update February 22, 2021 - CIRA released version 4.0.13 Solution Upgrade to version 4.0.13 or later CVE-ID CVE-2021-27189 # 0day.today [2024-11-14] #