Vulnerability Note VU#251628
AMTELCO miSecureMessages Server insecurely authenticates clients
Overview
AMTELCO miSecureMessages Server Release 6.2 performs weak authentication for access to user messages (CWE-287).
Description
AMTELCO miSecureMessages Server Release 6.2 performs weak authentication for access to user messages. miSecureMessages authenticates client app XML requests for messaging data using the contact identifier value and a valid license key. The contact identifier is trivial to guess and a license key will be present on a licensed client app. AMTELCO has provided a vendor statement about this vulnerability. |
Impact
A remote attacker may be able to read users' messages by iterating through contact identifier values. |
Solution
AMTELCO has addressed this vulnerability in miSecureMessages Server Release 6.3 which is available to all customers (login required). |
Vendor Information (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
AMTELCO | Affected | 11 Apr 2014 | 18 Apr 2014 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | 7.1 | AV:N/AC:M/Au:N/C:C/I:N/A:N |
Temporal | 5.6 | E:POC/RL:OF/RC:C |
Environmental | 1.4 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
References
- https://itunes.apple.com/us/app/misecuremessages/id423957478?mt=8
- https://play.google.com/store/apps/details?id=com.amtelco.secure
- https://misecuremessages.com/
- https://cwe.mitre.org/data/definitions/287.html
- https://service.amtelco.com
Credit
Thanks to Jared Bird for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
- CVE IDs: CVE-2014-0357
- Date Public: 11 Apr 2014
- Date First Published: 11 Apr 2014
- Date Last Updated: 18 Apr 2014
- Document Revision: 41
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.