Two security researchers has analyzed adobe’s sdk’s

During a security audit of Audible’s application

a in proper call using Adobe’s SDK(software development kit).

The app has a missing TLS Certificate validation.

The vulnerability has been given the CVE of CVE-2019–11554.

Explanation of the vulnerability

The security researchers was able to find an insecure default configuration

file that defaults the ssl variables that lets the requests

go over https

while analyzing Adobe’s SDK default configuration files.

{ "analytics": { ... "ssl": false, ... }, "messages": [ { ... "payload": { "templateurl": "http://example.com/subscriptions/{%mcid%}", ... }, ...

Adobe has been notified about this issue and resolved it. When using Adobe’s SDK that was created as api’s for mobile development.

If you want to scan your configuration files a public tool there is one available on github: https://github.com/nightwatchcybersecurity/truegaze

Audible is the first application that was made public that was

affected, the exact number for the amount of applications that

where affected is still unknown.

Using this default configuration while building mobile applications is

an easy way to expose sensitive details being sent to the vendor

software provider, such as credit card and person

identifiable information.

If you are developing an mobile application using Adobe’s SDK

we recommend that you update to the latest version.

adobe.com

the register adobe sdk flaw

https://github.com/nightwatchcybersecurity/truegaze

Nightwatch Cybersecurity

adobe.com acrobat

Pankaj Upadhyay writeup

CVE-2019-11554

If you are using an rss reader you can subscribe to the blog here:

https://blog.firosolutions.com/exploits/index.xml

https://blog.firosolutions.com/posts/index.xml