Advisory

Secunia SA 51412

Information

By default, when creating a connection using iOS you will get a nice helpful warning if you stumble upon a certificate chain that can’t be verified:

However some applications override this functionality. In the case, an unfixed vulnerability submitted through Secunia SVCRP reached its 6 month limit as per Secunia’s disclosure policy. This means that a MITM can replace the certificate on the connection and decrypt the traffic without the user knowing, leading to a loss of confidentiality.

It’s also interesting to note when you authenticate with the WebEx service, that as you can see below from this burp screenshot, it submits your credentials to not just one, but two WebEx servers; one in the USA, and one in Beijing in China. You’ve got to wonder what the purpose is of that, though I won’t speculate about that: