Trouble in adobe sdk land CVE-2019-11554

Two security researchers has analyzed adobe’s sdk’s

Adobe sdk audible firosolutions logo

During a security audit of Audible’s application
a in proper call using Adobe’s SDK(software development kit).
The app has a missing TLS Certificate validation.

The vulnerability has been given the CVE of CVE-2019-11554.

Explanation of the vulnerability

The security researchers was able to find an insecure default configuration
file that defaults the ssl variables that lets the requests
go over https
while analyzing Adobe’s SDK default configuration files.

{
  "analytics": {
    ...
    "ssl": false,
    ...
  },
  "messages": [
    {
      ...
      "payload": {
        "templateurl": "http://example.com/subscriptions/{%mcid%}",
        ...
      },
      ...

Adobe has been notified about this issue and resolved it.

When using Adobe’s SDK that was created as api’s for
mobile development.

If you want to scan your configuration files a public tool
there is one available on github:
https://github.com/nightwatchcybersecurity/truegaze

Audible is the first application that was made public that was
affected, the exact number for the amount of applications that
where affected is still unknown.

Using this default configuration while building mobile applications is
an easy way to expose sensitive details being sent to the vendor
software provider, such as credit card and person
identifiable information.
If you are developing an mobile application using Adobe’s SDK
we recommend that you update to the latest version.

External links:
CVE-2019-11554
Pankaj Upadhyay
Nightwatch Cybersecurity
Adobe SDK
TrueGaze Tool
The register
Audible

If you are using an rss reader you can subscribe to this blog here:
https://blog.firosolutions.com/exploits/index.xml
https://blog.firosolutions.com/posts/index.xml

This blog post is part of the exploit of the day series
where we write a shorter description about interesting
exploits that we index.

Firo Solutions watcher technology