Vulnerability in OkHttp’s Certificate Pinner
We fixed a bug that could have been used to defeat certificate pinning
Written by
.Heads up, we’ve moved! If you’d like to continue keeping up with the latest technical content from Square please visit us at our new home https://developer.squareup.com/blog
Security researcher John Kozyrakis from Cigital recently discovered a vulnerability in OkHttp’s CertificatePinner. He responsibly disclosed the issue to us via Square’s open source bug bounty program at HackerOne.
After feeling just a little bit embarrassed, I implemented a fix and released it as OkHttp 3.2.0. We also backported the fix to OkHttp 2.7.5. If you’re using OkHttp in your application, please upgrade to the latest release.
For a complete explanation of the problem, its origins, and consequences, see John’s post. Security is a difficult problem, and we Squares take it very seriously. We’ll continue to work hard to keep our code secure!