Vigil@nce - Node.js engine.io-client: Man-in-the-Middle
June 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can act as a Man-in-the-Middle on Node.js
engine.io-client, in order to read or write data in the session.
– Impacted products: Node.js Modules not comprehensive.
– Severity: 2/4.
– Creation date: 27/04/2016.
DESCRIPTION OF THE VULNERABILITY
The Node.js engine.io-client product uses the TLS protocol, in
order to create secure sessions.
However, the X.509 certificate and the service identity are not
correctly checked.
An attacker can therefore act as a Man-in-the-Middle on Node.js
engine.io-client, in order to read or write data in the session.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Node-js-engine-io-client-Man-in-the-Middle-19475