Over 10 million users running CyanogenMod and other custom ROMS are potentially vulnerable to a specific type of man-in-the-middle attack, according to a report in The Register.
The report cites information from a security researcher who works for a top-tier vendor, who says that the zero day vulnerability makes it possible to target any browser used on the popular Android distribution.
According to XDA Developers, "CyanogenMod developers and other teams had taken the Oracle's sample code for Java 1.5, which can potentially result in an MitM attack due to invalid SSL hostname verification. The attacker can then use a browser to execute code and steal important data like credit cards numbers, etc."
"I was looking at HTTP component code and I was thinking I had seen this code before," the researcher said.
"They just copy-pasted the sample code and that's what was vulnerable. I checked on GitHub and found out a tonne of others were using it."
Back in 2012, after the flaw was discovered, it became the topic of discussion at several security conferences. The researcher says that the code has not been fixed since then.
"If you go and create a SSL certificate for a domain you own, say evil.com and in an element of the certificate signing request such as the 'organisation name' field you put the 'value,cn=*domain name*, it will be accepted as the valid domain name for the certificate," he said.