CVE-2014-3750 Bilyoner mobile apps prone to various SSL/TLS attacks

Overview

Bilyoner is an online betting platform for various betting options on idda , spor toto, milli piyango, tjk.

We have found that mobile apps vulnerable to SSL/TLS attacks which eventually lets attackers to gain sensitive information and hijack user sessions.

Description

On misconfigured network environments it is possible to redirect HTTPS packets over MITM tools for SSL sessions.

When we redirected our network on such a configuration we have observed that app sends/receives user data unecrypted.

REQUEST

{
    "password": "333444",
    "sessionId": "9331b4c44edf7c72f4963bc1799416bd071b5eb2aa049ad7ce968b06965f444e",
    "username": "12312312"
}

And also session-id's are vulnerable for attackers to use on their own configurations to hijack other users' sessions. Such as;

RESPONSE

{
    "bilyonerCookies": {                                                                                                   
        "JSESSIONID": "RQdFTcnPydRypLXc71kXhYjBtN5p5sGT31GN4hvRlsN8qTz2GQ2T!-1656694263",        "NSC_wtfswfs-ttm": "ffffffffc3a0840e45525d5f4f58455e445a4a423660"
    },                                                                                                                     
    "bilyonerSessionId": "C1yTTcnP2wSnwyV2gstRkhrsBh8dsqJfvCYBFHqTGvVwhZSYhsJM!-1656694263!1394403087638",
    "sessionId": "9331b4c44edf7c72f4963bc1799416bd071b5eb2aa049ad7ce968b06965f444e"
}

Affected Versions

Android apps 2.1.1 and below are affected. For IOS platforms below 4.6.2 are vulnerable.

Fixes

For Android apps it's advised to upgrade 2.3.1. For IOS platforms 4.6.2 is available.