The flaw, discovered past times Chris Byrne, an data safety consultant as well as teacher for Cloud Harmonics, could allow an unauthenticated assailant to squall upward other persons' SSL certificates, including world as well as individual keys, equally good equally to reissue or revoke those certificates.
Even without revoking as well as reissuing a certificate, attackers tin dismiss bear "man-in-the-middle" laid on over the secure connections using stolen SSL certs, tricking users into believing they are on a legitimate site when inwards fact their SSL traffic is beingness secretly tampered amongst as well as intercepted.
"All you lot had to produce was click a link sent inwards [an] email, as well as you lot could squall upward a cert, revoke a cert, as well as re-issue a cert," Byrne wrote inwards a Facebook post published over the weekend.
Symantec knew of API Flaws Since 2015
Byrne said he start discovered the issues surrounding Symantec certificates inwards 2015 as well as agreed to "limited non-disclosure," equally Symantec said the companionship would convey nearly 2 years to ready the problems.
"Symantec committed to finding as well as replacing all of the certificates which MAY require keep been impacted, as well as and then supersede them... that they would produce thence within 6 months for every cert they could identify, as well as within 2 years for every cert period," Byrne said.The researcher did non bring out whatsoever details to Earth until concluding calendar week when Google disclosed its conception to gradually distrust Symantec-issued certificates within Google Chrome later discovering several issues amongst the companionship as well as 4 of its third-party cert resellers.
"Given Google's sense as well as actions here, it appears that Symantec did non ready these issues equally they committed to," Byrne said.
However, Byrne was non able to verify that the vulnerability he constitute were just the same number Google engineers disclosed concluding week.
According to Byrne, the certificate asking as well as delivery API Symantec provides to its third-party resellers convey URI-based UIDs "without proper authentication, or inwards around cases, whatsoever authentication at all."
Since the API server didn't authenticate users prior to accessing certificate information, whatsoever potential tech-savvy client could require keep easily intercepted an e-mail containing the API-generated link or took their ain UID as well as modified i of its parameters.
This would have, eventually, allowed the malicious assailant to access data on other Symantec customers, identifying high-value targets, as well as perform automated attacks.
Gaining Full Control Over Another User's SSL Certificates
Using the same API vulnerabilities, the assailant could require keep fifty-fifty gained total command over around other customer's certificates, which includes obtaining world as well as individual keys, revoking certs, or reissuing certs amongst novel passphrases.
Currently, neither the researcher nor the companionship has discovered whatsoever show to essay such a scenario, simply the possibility solitary was plenty for Byrne when considering disclosure.
"It would as well as then live on short to compromise DNS for a especial organization or soul they wanted to attack. At that point, they could pretend to live on that person's bank, their credit carte du jour company, their employer, anyone," Byrne added.
"Perhaps the worst compromise would live on to spoof a while as well as update server, for an entire company. Then every unmarried machine at that companionship could live on compromised simultaneously."According to the researcher, Symantec has since fixed around of the issues, simply non all. We require keep reached out to Symantec, as well as volition update the storey equally before long equally nosotros listen dorsum from the company.
Symantec has non withal responded to the Byrne's disclosure, though the companionship has lately published 2 blog posts accusing Google of "exaggerated as well as misleading" claims the search engine made concluding calendar month regarding its CAs.
UPDATE: Symantec’s Response
Symantec has responded to this API flaws as well as provided the next contention to The Hacker News:"We require keep looked into Chris Byrne’s inquiry claim as well as could non recreate the problem. We would welcome the proof of concept from the master inquiry inwards 2015 equally good equally the most recent research. In addition, nosotros are unaware of whatsoever real-world scenario of price or show of the problem. However, nosotros tin dismiss confirm that no individual keys were accessed, equally that is non technically feasible."
"We welcome whatsoever feedback that helps better safety for the community. Anyone who would similar to percentage farther details virtually real-world scenarios or proof of concept should contact us here."
