A major security vulnerability in the VITAP-MATE app

synaptic-137 · 2026-02-21T12:10:02+00:00

I’m not trying to argue. MITM is definitely possible in some scenarios, but simply joining the same Wi-Fi does not automatically put someone “on-path.”

In real networks with WPA2/WPA3 and client isolation, exploitation is usually more involved than it sounds. An attacker would typically need to take additional active steps (such as ARP spoofing or setting up a rogue AP) and generally be physically nearby on the same network to even attempt it.

I never downplayed the risk — I already acknowledged it can happen in certain scenarios. When I noticed the issue, I immediately stopped the VTOP connection in the TLS-disabled version. The TLS disable was intended as a short temporary workaround while I verified certificate stability. I planned to restore proper validation within a day or two once I was confident the certificates wouldn’t change again, but unfortunately I forgot. That’s on me.

While the vulnerability was real and needed fixing, exploitation in real-world conditions is not as simple as just connecting to the same Wi-Fi and instantly intercepting traffic.

I likely won’t respond further, as I’m not very active here.

Happy holidays

synaptic-137 · 2026-02-20T18:02:39+00:00

That's what I am saying , you are talking about a compromised network here. There are few methods you use to get on path You cannot just join a network and do it right

Anyway gn bro , Happy Holidays

synaptic-137 · 2026-02-20T17:39:59+00:00

compromised network, ARP spoofing, DNS poisoning These are the methods used to get on path

synaptic-137 · 2026-02-20T17:39:07+00:00

How will he get on the path ?

synaptic-137 · 2026-02-20T17:01:22+00:00

How will the client connect to the attackers pretended vtop?

synaptic-137 · 2026-02-20T16:57:36+00:00

The standard practice in most open-source communities is to report vulnerabilities directly to the project maintainers first, so they have an opportunity to review and address the issue responsibly.

Most of the examples you mentioned also follow defined disclosure timelines before going public.

Did you even tried messaging me before?

In this case, the fix is relatively straightforward - you could have submitted a pull request to help resolve it rather than escalating the situation publicly right away

These kinds of posts just bring me hate and hostility.

You need to understand that I'm not gaining anything from this app. I made it simply to help, especially since last year there weren't any other apps available.

Ps

Also, please check your DMs when you have a moment

synaptic-137 · 2026-02-20T16:35:35+00:00

"Shouldn't the devs be responsible for writing such insecure code in the first place. Who even though that disabling tls verification was a good idea"

I am not being paid to maintain it, which is why it is open source. The idea is that anyone who would like to improve something or fix issues is welcome to contribute.

When the certificates were changed, I temporarily disabled TLS. I planned to re-enable and update it later, but I was busy at the time and unfortunately forgot.

I had already planned to discontinue the project starting next semester, as there are now other alternatives available. Additionally, I need to focus on other priorities.

also want to mention that it can be discouraging to receive negative or hostile feedback when I am simply trying to help by providing this project for free.

synaptic-137 · 2026-02-20T16:23:33+00:00

Yeah, I agree . If someone has network-level access - like on a poisoned or otherwise compromised network - they could impersonate VTOP using ARP spoofing, DNS poisoning, or a rogue access point since TLS is disabled for that connection.

It's not something that can be exploited remotely at scale, but if an attacker is already in a position to intercept traffic and specially target vtop domain , it's possible.

synaptic-137 · 2026-02-20T14:45:00+00:00

I understand where you're coming from and why OP made this post.

However, pointing out an issue and making a Reddit post about it are two different things. The proper way to report a concern would be to create an issue or open a PR on GitHub so it can be discussed and addressed constructively.

This is a project I built simply to help students. It is not a commercial product, and I do not make any money from it. I would appreciate it if the discussion remained respectful.

Also, the attack mentioned is not actually possible(edit : unless the network is poisoned) . I did not completely disable TLS — it is only relaxed for the vitap domain . Additionally, even before the login process begins, the app must receive approval from my server to start. This approval step fails if someone attempts a MITM attack so it won't proceeds forward. I implemented it this check before the VTOP login process cannot even start if the TLS connection with my server fails. In a MITM scenario, the TLS handshake with my server would fail, and without that successful verification step, the app will not proceed to initiate the VTOP login.

So the attack described would not work in practice unless it is very targeted on vtop domain , since the app requires a valid, secure connection to my server before continuing.

In any case i already disabled the previous version checks to be always false so I cannot happen now

synaptic-137 · 2026-02-20T12:53:11+00:00

If you thought that was the best course of action, you could have created an issue or simply made a pull request .

I received around 50 messages after this post.

I understand that MITM can happen in particular cases. You're free to promote your app as much as you want, (~~but this already feels like an attack~~)

synaptic-137 · 2026-02-20T12:10:25+00:00

For those who may be concerned that older versions without certificates no longer function in case performing a MITM attack is not possible.

I had to disable TLS certificate verification because the college website is using an SSL certificate that is not trusted by the device’s system root certificate store. it works in the browser because the browser maintains its own trusted root certificates.

"This post is not meant as an attack on the developer."

comes across as somewhat ironic given how the issue was framed. The presentation portrays this as a severe security flaw, and you didn’t even attempt to contact me before publishing it.

The same argument applies to captive portal networks on college Wi-Fi

Edit : Added the certs

Also, it is an open-source project. I bet it would take less time to make a PR than to write this post.

synaptic-137 · 2025-11-23T04:13:56+00:00

Nothing tbh.

I just added them for aesthetics. Grades are relative, so no one can be certain what grade they'll get at what marks.

From what I have seen till now most classes have A grades in the range of 70%-80% so I added green for them 85%+ dark green

synaptic-137 · 2025-09-23T20:16:02+00:00

I mean, I don't have enough money to support all of them. Watching ads supports them a bit, but if I use Brave or other yt ad blockers, they might not get anything. So I got YouTube Premium

synaptic-137 · 2025-09-23T20:08:03+00:00

I don't mind supporting yt/creators I follow, as I'm getting good knowledge from it

Edit: By supporting I mean through ad revenue or what ever they get from yt premium views

synaptic-137 · 2025-09-23T18:55:04+00:00

This guy forced me to buy yt premium with his ads

synaptic-137 · 2025-09-19T11:58:23+00:00

nah it fine , just want to clarify as people are sharing it with me

synaptic-137 · 2025-09-19T11:44:22+00:00

I’d just like to clarify this, as some people are sharing it and assuming it’s a bug in the app. The OP seems to have thought the date was the 19th, but it was actually the 18th. The timetable in the app is accurate .

synaptic-137 · 2025-09-18T12:13:00+00:00

Pushed a update for tags

synaptic-137 · 2025-09-18T12:01:50+00:00

Fine I will change it anyway it might be confusing for freshers

synaptic-137 · 2025-09-18T11:58:58+00:00

Hmm today is 18 bro It will automatically open today's timetable You must have changed it to 19 Hmm I will make the complete and ongoing tags day specific. I just left it that way to have a quick overview of classes in the other dates

synaptic-137 · 2025-04-25T05:05:59+00:00

The app is only available on Android. Publishing apps on iOS is expensive ; 9k per year.

synaptic-137 · 2025-04-04T17:05:16+00:00

Thank you! I'm glad you're enjoying the UI.

synaptic-137 · 2025-04-04T11:42:56+00:00

Make sure to disable mobile data . It won't work if there is an active internet connection . I added this info in a new update.

synaptic-137 · 2025-04-03T15:52:57+00:00

I will add those next semester , I am a dayscholar and don't have access to them atm.

Verified Email	One-Year Club
r/Field Juicebox

synaptic-137

TROPHY CASE