[Crosswalk-help] Crosswalk Security Advisory

Ryan Ware ryan.r.ware at intel.com
Thu Jul 28 14:35:10 PDT 2016

There was recently a security vulnerability reported to the Crosswalk
team.  This vulnerability report as documented by Nightwatch Cybersecurity (
https://wwws.nightwatchcybersecurity.com/) is as follows:

** Software/Product(s) containing the vulnerability:*
*Crosswalk project*

** Please describe the vulnerability:*
*If an MITM proxy is used for SSL, the application shows an error message
about an invalid SSL certificate. If the user presses "OK", all future
communication accepts any SSL certificate even if not valid.*

*Contrast this with regular Android / iOS applications where each network
request re-checks if the certificate is valid.*

*Anyone using Crosswalk project to build an app is affected.*

** How may an attacker exploit this vulnerability?*
*Users of app can be fooled into using the app even with an error*

** What is the impact of exploiting this vulnerability?*
*Get user's data*

** How did you find the vulnerability?*
*manual test of Fastmail Android app*

This issue has been resolved and is fixed in all current versions of
Crosswalk.  Specifically, the fix was introduced in:

   - 19.49.514.5 (stable)
   - 20.50.533.11 (beta)
   - 21.51.546.0 (beta)
   - 22.51.549.0 (canary)

These updates can be found at the following URLs:

   - https://download.01.org/crosswalk/releases/crosswalk/android/stable/
   - https://download.01.org/crosswalk/releases/crosswalk/android/beta/
   - https://download.01.org/crosswalk/releases/crosswalk/android/canary/

The Crosswalk Project thanks Nightwatch Cybersecurity for responsibly
reporting this issue and working with us to responsibly disclose the issue
to the Crosswalk community and the public.

Ryan Ware
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.crosswalk-project.org/pipermail/crosswalk-help/attachments/20160728/f3d3b0f9/attachment.html>

More information about the Crosswalk-help mailing list