If you use an Android or iOS device to connect to a Microsoft Exchange server over WiFi, security researcher Peter Hannay may be able to compromise your account and wreak havoc on your handset.
At the Black Hat security conference in Las Vegas, the researcher at Edith Cowan University's Security Research Institute in Australia described an attack he said works against many Exchange servers operated by smaller businesses. Android and iOS devices that connect to servers secured with a self-signed secure sockets layer certificate will connect to servers even when those certificates have been falsified.
"The primary weakness is in the way that the client devices handle encryption and do certificate handling, so it's a weakness in SSL handling routines of the client devices," Hannay told Ars ahead of his presentation on Thursday. "These clients should be saying that the SSL certificate really doesn't match, none of the details are correct. I won't connect to it."
Read 7 remaining paragraphs | Comments
Article by Dan Goodin (c) Ars Technica - Read full story here.