CM Browser insecurity— Can Chinese web browsers be as secure as they claim?
A few weeks ago I experimented with my own root CA (Certificate Authority) to issue certificates for some applications in my LAN that my own devices would trust. In other words, I wanted to waste some time until Let’s Encrypt could hopefully provide wildcard certificates for my use case.
On my mobile phone, I sometimes open the CM Browser on Android, because it’s the only browser I found that can display hn.premii.com (an awesome frontend for Hacker News) in the best full screen format I could imagine. Also, someone once told me the CM Browser would be the standard browser included in the Android OS CyanogenMod (I finally checked and found this to be false).
Besides that, I heard rumors that this is a browser with a high focus on security and privacy, which the screenshot from CM’s homepage suggests in some way (in the first sentence, actually):
To check whether some service I set up in my home lab would deliver the newly signed certificate (using my new root CA), I opened the site in CM Browser. To my surprise, although I still had not imported my root CA certificate to my Android phone by that time, I was presented with a perfectly fine, green lock icon. Too bad this secure browser doesn’t let me take a look at the details of the certificate (would be a nice feature for a “secure” browser). For the fun of it, I created another random DNS entry for the same target (for which the certificate would not be applicable), for which every browser simply must throw an error, and again, everything seemed fine.
If you don’t know what that means: Any intruder in your network or some public WiFi would easily be able to perform a man-in-the-middle-attack while you browse your emails and start taking over all your accounts and/or steal your identity. Browser vendors actually have huge headaches with finding the best way to warn users of such attacks, so they keep spending a lot of resources to improve in this area. Those tools are simply not allowed to screw this up nowadays!
Intrigued, I was searching for more simple ways to test certificate validation scenarios and immediately stumbled upon a wonderful site: badssl.com
I’ve always used CM Browser in the “Incognito mode”, so I hoped that was the underlying issue (i.e. a stupid bug). The test results displayed in the following two screenshots proved me wrong:
I also discovered the Dashboard of badssl.com, and this is how it looks for CM Browser as of 30th November 2017 using version 5.22.02.0018 of the Android app:
Now from experience I know how faulty certificate validation code makes it into production apps: Somewhere in the (manual!) deployment process, someone forgot to remove the workaround that developers introduced to test the app — connecting to development backend servers for which no one wants to spend the time to create proper certificates and get them signed for a few USD/year (or for free with Let’s Encrypt) is just too much effort to spend time on.
But after discovering the following information in the Play Store, I reconsidered my assumption of a simple mistake:
So the developer is from China. And we know how much China loves secured connections. So why force companies to provide non-HTTPS websites for targetet censorship, if you can simply ask (or force) some browser vendor to silently ignore your MITM attacks? Don’t think so? How about the time Opera was forced to release a special version of their browser for the Chinese market? Side quest: guess why that article on asia.cnet.com isn’t online anymore. If that’s standard practice, I can never trust any Internet-connected Chinese product again, and I suggest you to act the same.
Turns out this is a kind-of-actually-known issue, as a friend pointed out to me: hackapp, an automatic vulnerability scanner, for which results are nicely commented on vulners.com, shows us this disturbing overview of severe drawbacks you may encounter using CM Browser:
Anyways, it was time to make them aware of the issue and hope they’d fix it. I couldn’t find any PGP key of an employee that would still work there, so I chose their Play Store contact and the customer support contact for the CM Browser to send a plain-text email. You’ll find it below. I should note that none of my emails reached fankui@liebao.cn (“550 Mail content denied”), even after sending them without a PGP signature and also after switching to plain text and removing “https://” from the provided badssl URL.
Sadly, I have not received any response until my deadline and decided to wait a bit longer — preparations for the Chinese new year may have shifted their focus, after all. Meanwhile a new version has been released on December 28th (v5.22.04.0006), but the issue still persist. This problem should be a big deal, at least to non-Chinese Internet companies. Providing no incident security response at all is a big no-go for a browser vendor. We can only hope the CM team is an exception.
Let me answer my own question by extending it to an even broader conclusion: No, Chinese software vendors that claim to provide secure products cannot be trusted without proper review of every single version they produce.
So what’s left to do now? Only one thing: Stop using any app developed by the CM team. They are provably less secure than they claim them to be. Before uninstalling the CM Browser app, you may want to check your history (and remember which sites you were browsing in Incognito mode) and change the passwords on the websites you’ve visited. Consider all prior communication using CM Browser compromised.
The initial email I sent to the CM team:
Date: 30th November 2017, 00:58 AM
To: browser@cmcm.com (the address provided in the Play Store); fankui@liebao.cn (the customer support address listed for CM Browser on their support page)
Subject: Security issue with version 5.22.02.0018 of CM Browser on Android
Dear CM Browser Team,
Please forward this message to your IT security department. I was not
able to find a PGP key for any of your company's official contact
addresses, hence, since this is a severe issue which needs to be
addressed asap, I am forced to write in plain text. You can still
respond in encrypted form to me (my PGP key is attached).
I have found that in version 5.22.02.0018, certificate validation is
completely disabled. This results in the users of the browser being
susceptible to MITM attacks on their private communication. The user
would not be alarmed about the attacks, as she would normally be by
other browsers like Chrome or Firefox. Instead, a green lock icon is
shown as though everything is normal. This is especially horrific for a
product that claims to be "Small, fast and secure.".
To reproduce the behavior I found, visit the following site in CM
Browser: https://expired.badssl.com/
You will find that this website (as well es for all the other test
pages, for which some I've attached screenshots for proof for) is being
loaded normally, without any warning about a certificate-related issue.
Imagine a bad actor in the middle of the network connection, who could
actively be replacing the real server certificate with her own. I have
reproduced this behavior with two different Android phones and other (my
own) self-signed certificates in my local network.
I would urge you to also check other products you provide for similar
wrong behavior. With most products, like your Anti-Virus solution, it's
not as easy to quickly detect improper certificate validation.
Due to the severity of the issue and the amount of potentially affected
customers, I will release this information to the public after 15th
December 2017 to raise awareness that users of your product were at risk
until you (hopefully by then) fixed it.
Best regards