CVE-2017-9577 in Mobile Banking App
Summary
by MITRE
The "First Citizens Bank-Mobile Banking" by First Citizens Bank (AL) app 3.0.0 -- aka first-citizens-bank-mobile-banking/id566037101 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/18/2019
The vulnerability identified as CVE-2017-9577 affects the First Citizens Bank-Mobile Banking application version 3.0.0 for iOS devices. This security flaw represents a critical failure in the application's certificate validation mechanism, specifically within its implementation of SSL/TLS security protocols. The application's inability to properly verify X.509 certificates from SSL servers creates a significant attack surface that exposes users to sophisticated man-in-the-middle attacks. This vulnerability directly impacts the fundamental security principle of authentication, where the application fails to establish trust with legitimate servers and instead accepts potentially malicious certificates presented by attackers.
The technical flaw manifests in the application's cryptographic implementation where it bypasses the standard certificate chain validation process that should occur during SSL/TLS handshakes. When the mobile banking application establishes secure connections to First Citizens Bank's servers, it fails to perform proper certificate verification against trusted certificate authorities. This weakness allows attackers to generate and present forged certificates that appear legitimate to the application, enabling them to intercept and manipulate all communication between the mobile device and the bank's servers. The vulnerability is classified under CWE-295 which specifically addresses "Improper Certificate Validation" and aligns with ATT&CK technique T1046 for network service scanning and T1566 for credential harvesting through social engineering.
The operational impact of this vulnerability extends far beyond simple data interception, as it enables attackers to gain access to sensitive financial information including account balances, transaction histories, and potentially user credentials. Mobile banking applications are particularly vulnerable to this type of attack because they typically handle highly sensitive data while operating in potentially untrusted network environments such as public wifi networks or cellular data connections. Attackers can exploit this vulnerability to redirect users to malicious servers that appear to be legitimate bank services, facilitating credential theft, financial transaction manipulation, and unauthorized account access. The attack vector requires minimal technical expertise to exploit, making it particularly dangerous for widespread use.
Mitigation strategies for this vulnerability should include immediate implementation of proper certificate pinning mechanisms within the application, ensuring that only certificates from trusted authorities are accepted. The application should implement certificate chain validation that includes checking certificate signatures, expiration dates, and revocation status through CRL or OCSP mechanisms. Security patches should be deployed to enforce strict SSL/TLS certificate validation, and the application should be updated to use modern cryptographic libraries that properly handle certificate verification. Organizations should also implement network monitoring to detect unusual certificate behavior and establish incident response procedures for potential exploitation attempts. Additionally, user education regarding the importance of verifying server certificates and avoiding untrusted networks should be emphasized as part of a comprehensive security strategy.