A security researcher has disclosed critical issues in the processes and third-party API used by Symantec certificate resellers to deliver and manage Symantec SSL certificates.
The flaw, discovered by Chris Byrne, an information security consultant and instructor for Cloud Harmonics, could allow an unauthenticated attacker to retrieve other persons’ SSL certificates, including public and private keys, as well as to reissue or revoke those certificates.
Even without revoking and reissuing a certificate, attackers can conduct “man-in-the-middle” attack over the secure connections using stolen SSL certs, tricking users into believing they are on a legitimate site when in fact their SSL traffic is being secretly tampered with and intercepted.
“All you had to do was click a link sent in [an] email, and you could retrieve a cert, revoke a cert, and re-issue a cert,” Byrne wrote in a Facebook post published over the weekend.
Symantec knew of API Flaws Since 2015
Byrne said he first discovered the issues surrounding Symantec certificates in 2015 and agreed to “limited non-disclosure,” as Symantec said the company would take nearly two years to fix the problems.
“Symantec committed to finding and replacing all of the certificates which MAY have been impacted, and then replace them… that they would do so within six months for every cert they could identify, and within two years for every cert period,” Byrne said.
The researcher did not disclose any details to the public until last week when Google disclosed its plan to gradually distrust Symantec-issued certificates inside Google Chrome after discovering several issues with the company and four of its third-party cert resellers.
“Given Google’s experience and actions here, it appears that Symantec did not fix these issues as they committed to,” Byrne said.
However, Byrne was not able to verify that the vulnerability he found were exactly the same issue Google engineers disclosed last week.
According to Byrne, the certificate request and delivery API Symantec provides to its third-party resellers accept URI-based UIDs “without proper authentication, or in some cases, any authentication at all.”
Since the API server didn’t authenticate users prior to accessing certificate information, any potential tech-savvy customer could have easily intercepted an email containing the API-generated link or took their own UID and modified one of its parameters.
This would have, eventually, allowed the malicious attacker to access information on other Symantec customers, identifying high-value targets, and perform automated attacks.