CVE-2017-9582 in Mobile Banking App
Summary
by MITRE
The "BNB Mobile Banking" by Brady National Bank app 3.0.0 -- aka bnb-mobile-banking/id674215747 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/18/2019
The vulnerability identified as CVE-2017-9582 affects the BNB Mobile Banking application version 3.0.0 for iOS devices, specifically targeting the mobile banking application distributed through the App Store under the identifier bnb-mobile-banking/id674215747. This critical security flaw resides in the application's implementation of secure communication protocols, where the mobile banking client fails to properly validate X.509 certificates presented by SSL servers during the secure communication establishment process. The absence of proper certificate verification creates a significant attack vector that undermines the fundamental security assurances typically provided by Transport Layer Security implementations.
The technical flaw represents a failure in certificate validation mechanisms that should normally enforce strict verification of server identities through established public key infrastructure standards. When an application does not verify X.509 certificates, it essentially disables the cryptographic trust model that protects against malicious actors attempting to intercept or manipulate communications between the mobile client and banking servers. This vulnerability directly corresponds to CWE-295, which addresses "Improper Certificate Validation," and specifically manifests as a failure to implement proper certificate chain validation and hostname checking procedures that are essential for maintaining secure communications in mobile banking applications.
The operational impact of this vulnerability is severe and multifaceted, as it enables man-in-the-middle attacks that can result in complete compromise of sensitive financial information. Attackers can create fraudulent certificates that appear legitimate to the vulnerable mobile application, allowing them to intercept and manipulate all communications between the banking app and the bank's servers. This includes access to user credentials, account balances, transaction details, and potentially the ability to execute unauthorized financial transactions. The vulnerability particularly affects mobile banking users who may be conducting sensitive financial operations over unsecured or public networks where such interception attacks are more likely to occur.
From an adversary perspective, this vulnerability aligns with several ATT&CK techniques including T1046 for network service scanning and T1566 for credential harvesting through social engineering. The attack surface is particularly concerning given that mobile banking applications typically handle highly sensitive data and are prime targets for financial fraud operations. The lack of certificate verification creates an environment where attackers can impersonate legitimate banking services without detection, potentially leading to significant financial losses for users and reputational damage for the issuing financial institution. Organizations should implement comprehensive network monitoring and certificate pinning mechanisms as immediate mitigations, while the application vendor must urgently release a patched version that enforces proper X.509 certificate validation procedures and implements industry-standard secure communication protocols.