CVE-2017-9587 in App
Summary
by MITRE
The "PCSB BANK Mobile" by PCSB Bank app 3.0.4 -- aka pcsb-bank-mobile/id1067472090 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/18/2019
The vulnerability identified as CVE-2017-9587 affects the PCSB BANK Mobile iOS application version 3.0.4, representing a critical security flaw in the mobile banking ecosystem. This issue stems from the application's failure to properly validate X.509 certificates during SSL/TLS connections, creating a significant attack surface that adversaries can exploit to compromise user data and financial transactions. The flaw exists within the certificate verification mechanism that should enforce proper cryptographic validation before establishing secure communication channels between the mobile client and banking servers.
The technical implementation of this vulnerability manifests as a complete absence of certificate pinning or proper validation procedures within the mobile banking application. When the app establishes SSL connections to backend servers, it fails to perform the essential X.509 certificate validation steps that should include checking certificate authorities, verifying certificate chains, and ensuring proper domain name matching. This allows attackers to perform man-in-the-middle attacks by presenting fraudulent certificates that appear legitimate to the vulnerable application, effectively bypassing the security layer designed to protect sensitive financial data transmission.
From an operational standpoint, this vulnerability exposes users to severe financial and personal data risks. Attackers can intercept and manipulate all communications between the mobile banking application and the bank's servers, potentially gaining access to account credentials, transaction details, personal identification information, and other sensitive banking data. The impact extends beyond individual account compromise to potential large-scale financial fraud and data breaches that could affect thousands of users. The vulnerability is particularly dangerous because it operates silently without user awareness, making detection extremely difficult for both end users and security monitoring systems.
The security implications of this vulnerability align with CWE-295, which specifically addresses "Improper Certificate Validation," and can be categorized under ATT&CK technique T1041 for Data from Network Shared Drive and T1566 for Phishing. Organizations should implement immediate mitigations including mandatory certificate pinning mechanisms, regular security audits of mobile applications, and comprehensive network monitoring to detect unauthorized certificate usage. Additionally, the vulnerability highlights the importance of following industry standards such as NIST SP 800-52 for certificate management and ISO/IEC 27001 for information security controls. Banks and financial institutions should also consider implementing additional security layers such as multi-factor authentication, transaction monitoring, and regular penetration testing to protect against similar vulnerabilities in their mobile banking platforms.