Summary: Under certain conditions Tableau Mobile is vulnerable to a man-in-the-middle attack when connecting to Tableau Server. To exploit the vulnerability, an attacker must be able to intercept and modify the initial network messages, and force fallback to insecure communication. In some cases when Tableau Mobile connects to a host using a secure connection (HTTPS), the connection may fallback to an insecure connection (HTTP).
Impact: The attacker can intercept communications which may result in the disclosure of credentials.
- Tableau Mobile for iOS version 10.1.0 and earlier
- Tableau Mobile for Android version 10.1.0.60.0 and earlier.
Resolution: Upgrade the Tableau Mobile application to the latest version available through Apple Application store or Google Play store.
Additional Information: The upgraded version of Tableau Mobile will not fallback to an insecure (HTTP) connection if the user specifies a secure (HTTPS) connection.
In all cases where SSL is enabled on Tableau Server, you should instruct users to specify a secure HTTPS URL (https://myserver.example.com) whenever they connect to Tableau Server. Discourage users from entering the hostname only.