The ThreatMetrix software development kit for iOS was patched on Tuesday following the discovery of an SSL certification vulnerability that could allow an attacker to execute a man-in-the-middle attack.
According to an advisory from the Software Engineering Institute’s CERT Coordination Center (CERT/CC) at Carnegie Mellon University, ThreatMetrix fixed the issue, officially designated CVE-2017-3182, with version 3.2 of the SDK. In earlier versions, the SDK failed to validate validate SSL certificates provided by HTTPS connections. Consequently, attackers “on the same network or upstream from a vulnerable ioS device may be able to view of modify ThreatMetrix network traffic that should have been protected by HTTPS,” the advisory warns.
ThreatMetrix is a security library for mobile applications that is designed to provide users with fraud prevention and device identity capabilities. CERT/CC researcher Will Dormann is credited with discovering the flaw.
UPDATE 1/13: ThreatMetrix has contacted SC Media and provided the following statement: “This was a bug from a prior SDK version from a year ago, specifically tied to the Discover mobile app. The next SDK version fixed the bug.
We believe Discover has upgraded SDK version, so there isn’t currently a problem.” However, this information does not seem to correspond at all with the details supplied by the CERT/CC.