CVE-2017-9600 in OK App
Summary
by MITRE
The "Peoples Bank Tulsa" by Peoples Bank - OK app 3.0.2 -- aka peoples-bank-tulsa/id1074279285 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/18/2019
The vulnerability identified as CVE-2017-9600 represents a critical security flaw in the Peoples Bank Tulsa mobile banking application for iOS devices. This issue affects version 3.0.2 of the application, which is distributed through the Apple App Store under the identifier peoples-bank-tulsa/id1074279285. The core problem lies in the application's failure to properly validate X.509 certificates during SSL/TLS connections, creating a significant attack vector that undermines the fundamental security assurances provided by secure communication protocols.
The technical flaw manifests as a complete absence of certificate verification mechanisms within the mobile application's secure communication stack. When the app establishes connections to backend servers using SSL/TLS encryption, it fails to perform the essential X.509 certificate validation steps that should confirm the authenticity of the server presenting the certificate. This omission allows attackers to execute man-in-the-middle attacks by presenting fraudulent certificates that appear legitimate to the vulnerable application. The absence of proper certificate pinning or validation creates a trust relationship that can be easily compromised, enabling attackers to intercept and manipulate all data transmitted between the mobile client and the banking servers.
The operational impact of this vulnerability is severe and multifaceted, particularly within the financial services domain where the application handles sensitive customer information. Attackers exploiting this weakness could gain access to customer account details, transaction records, personal identification information, and potentially execute unauthorized financial transactions. The vulnerability affects not only individual user data but also compromises the overall security posture of the financial institution's digital banking infrastructure. Given that mobile banking applications serve as primary interfaces for financial transactions, the potential for financial fraud and data breaches is substantial, with implications extending beyond individual users to encompass broader institutional security concerns.
This vulnerability aligns with CWE-295, which specifically addresses "Improper Certificate Validation," and represents a classic example of weak cryptographic implementation that violates fundamental security principles. From an adversarial perspective, this flaw maps directly to ATT&CK technique T1046, which involves network service scanning and manipulation, and T1566, which covers credential harvesting through social engineering or direct exploitation. The attack surface is particularly concerning because it affects a mobile banking application where users expect robust security measures to protect their financial assets and personal information. Organizations should implement certificate pinning mechanisms, enforce strict certificate validation procedures, and conduct regular security assessments to prevent such vulnerabilities from compromising user data and institutional security. The incident underscores the critical importance of proper SSL/TLS implementation in mobile applications, particularly in sectors where financial and personal data protection is paramount.