Sourav Sahana

@pocdork

Sourav Sahana Uncategorized Bypass Mobile PIN Verification

Bypass Mobile PIN Verification

Hi Hunters! again I’m here with another findings. The bounty of this bug is not enough but I’m still happy with this ¯_(ツ)_/¯. I’m personally more interested about mobile application testing. I was able to bypass of a application’s PIN verification. Hope you will enjoy this post..

It was 31 Oct, 2019. New program launched on Bugcrowd. Feels like got command from commando for surgical strike. Luckily there was a apk file in scope.

There was a 4 digit PIN protection for opening the application. First I thought this can be bypass using response manipulation. But wait ! not getting any request in the Intercept. may be I did not bypass ssl pining properly. Checked again. All ok! So I’m not getting request for that task it means application is fetching data from internal memory. So opened ADB tool and started finding where the PIN is storing. Finally found a suspicious xml file in shared_prefs directory, Named 6e230139nh78454a8b0abui876b5f4a3.xml . And it contains some hash string. Every time the hash value changes after I change the PIN. So I simply removed the file, and BAAMM… There is no PIN protection when I open the application.

I immediately created a report with a good POC video and waiting for the response. First they marked my report as P as it required physical and root access. Then I argued with them. My replay: “you are right this exploit needs physical access of user’s device. But developer implemented one extra protection for one step better security because of unauthorized users can’t access the application even he has the device on his hand. If attacker can bypass this anyhow then this protection is useless, in that case basic protection will be enough to authenticate users. authentication mechanism is not implemented properly and I believe this is a security issue present in the application”

Finally they accepted my report and I got my bounty. I feel so happy.

Leave a Reply

Your email address will not be published.

TopBack to Top