Users of Acer’s cloud storage service, used by 10-50 million users, were vulnerable to a man-in-the-middle attack when using the service’s Android app. The required Acer Portal app can be used to access files but didn’t properly check the SSL certificate of the Acer Cloud service.
An attacker between the user and the cloud service could obtain the password and files of any user this way. The security researchers who discovered the vulnerability tried to inform Acer but their emails to email@example.com and firstname.lastname@example.org could not be delivered.
The researchers then notified the Cert Coordination Center (CERT/CC) of the Carnegie Mellon University who then communicated the issue with Acer. The Taiwanese computer manufacturer released a new version of its Acer Portal app in June this year. Users with version 220.127.116.110 and onwards are safe. Because most users are now likely on this version, details on the vulnerability are now disclosed.
Users who haven’t updated yet are urged to update as soon as possible.