Researchers have uncovered defects in a wide range of applications running on computers, smartphones, and Web servers that could make them susceptible to attacks exposing passwords, credit card numbers, and other sensitive data.

The Trillian and AIM instant messaging apps and an Android app offered by Chase Bank are three apps identified as vulnerable to so-called man-in-the-middle attacks. Like the other dozen or so applications identified, the threat stemmed from weak implementations of the secure sockets layer and transport layer security protocols. Together, the technologies are designed to guarantee the confidentiality and authenticity of communications between end users and servers connected over the Internet.

The weak implementations caused the programs to initiate encrypted communications without first assessing the validity of the digital certificates on the other end. As a result, one of the fundamental guarantees of the SSL—that the computer on the other end of the connection belongs to the party claiming ownership—was fundamentally compromised. Instead, the apps will trust imposter certificates that are signed by attackers or fail established validity tests for a variety of other reasons.

"Our main conclusion is that SSL certificate validation is completely broken in many critical software applications and libraries," a team of researchers wrote in a paper titled The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software. "When presented with self-signed and third-party certificates—including a certificate issued by a legitimate authority to a domain called AllYourSSLAreBelongTo.us—they establish SSL connections and send their secrets to a man-in-the-middle attacker."

The scenario described by the researchers is precisely the attack SSL is intended to protect against. The research paper, presented last week's Computer and Communications Security conference, came in addition to separate work presented that demonstrated how holes in apps downloaded as many as 185 million times from Google's official Android market left passwords, e-mail, and instant messaging contents vulnerable to theft.

Instant messaging clients Trillian and AIM are among the apps that fail to properly validate SSL certificates before establishing a secure connection, according to the researchers. Man-in-the-middle attacks on Trillian, depending on the specific setup, can yield login credentials for a variety of third-party services (including Google Talk, AIM, Yahoo!, and Windows Live services). The AIM client version 1.0.1.2 on Windows also accepts certificates signed by untrusted parties and also fails to verify if the host name on the certificate conforms to the Internet address the app is connected to.

Similar weaknesses in the Chase mobile banking app for Google's Android operating system also puts users at risk, the researchers said. "Even a primitive network attacker—for example, someone in control of a malicious Wi-Fi access point—can exploit this vulnerability to harvest the login credentials of Chase mobile banking customers," the paper warned.

The researchers attributed weaknesses to the "terrible design" of the programming interfaces provided in widely used code libraries that implement SSL. In some cases, the libraries leave it up to individual apps to validate the certificates presented when they connect to a server. In other cases, options chosen by app developers inadvertently turn off validation routines that by default are supposed to run.

"These APIs are extremely confusing," said Moxie Marlinspike, the pseudonymous researcher who has repeatedly exposed vulnerabilities in SSL. "They're very easy to get wrong and people do get them wrong all the time. But some of the cases that [the researchers] outline don't spell certain death."

One such case, Marlinspike said, was a weakness described in the code libraries for the Amazon Flexible Payments Service used to process online payments. Invoking the library using the PHP language turns off domain-name checking in FPS, allowing the server running the program to accept connections to non-authorized servers, the paper said. Marlinspike didn't dispute that finding but said that FPS provides its own signature-based authentication protocol and doesn't transmit client credentials, credit card numbers, or bank account information. Under those circumstances, the lack of SSL validation doesn't necessarily indicate a significant loss of security, he said.

Marlinspike made a similar observation about a finding involving TextSecure, an Android app he developed to encrypt cellphone messages that use the SMS and MMS protocols. The carrier servers that phones connect to don't present SSL certificates that conform to Internet standards, so TextSecure wouldn't work correctly if it ran validation routines. More importantly, messages are encrypted using the Off-the-record protocol, so SSL is never relied on to keep the content private.

Nonetheless, the paper cites a litany of widely used apps and code libraries that fail to properly vet servers before establishing connections that are supposed to be secure. This authentication is supposed to take place during a "handshake" mandated by the SSL protocol, when a server presents its public-key certificate to the end-user computer. For the connection to be considered secure, the client must first confirm the certificate has been issued by a valid certificate authority, has not expired or been revoked, and carries the domain name(s) the client is connecting to.

Other apps and libraries mentioned in the paper include Amazon’s EC2 Java library and all cloud clients based on it; Amazon’s and PayPal’s merchant SDKs responsible for transmitting payment details from e-commerce sites to payment gateways; integrated shopping carts such as osCommerce, ZenCart, Ubercart, and PrestaShop; AdMob code used by mobile websites; and Java Web-services middleware—including Apache Axis, Axis 2, Codehaus XFire, and Pusher library for Android—plus all applications employing this middleware.

The researchers said they uncovered the faulty validation by running the programs on a network that used DNS cache poisoning and a real-time certificate impersonator to simulate a real-world man-in-the-middle environment. They called on developers to subject their apps to similar tests.

"The state of adversarial testing appears to be exceptionally poor even for critical software such as mobile banking apps and merchant SDKs responsible for managing secure connections to payment processors," the researchers wrote. "Most of the vulnerabilities we found should have been discovered during development with proper unit testing."