Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Dropbox CVE-2018-12445 Information
> [Description]
> ** DISPUTED ** An issue was discovered in the com.dropbox.android
> application 98.2.2 for Android. The FingerprintManager class for
> Biometric validation allows authentication bypass through the callback
> method from onAuthenticationFailed to onAuthenticationSucceeded with
> null, because the fingerprint API in conjunction with the Android
> keyGenerator class is not implemented. In other words, an attacker
> could authenticate with an arbitrary fingerprint. NOTE: the vendor
> indicates that this is not an attack of interest within the context of
> their threat model, which excludes Android devices on which rooting
> has occurred.
>
> ------------------------------------------
>
> [Additional Information]
>
> Exploitation Narrative for bypass local authentication on Fingerprint
>
> 1. De-compiling process was used to determine application logic
> through source code. Even the application was minified (Seem to be
> using Proguard), We still can analyse the logic of Fingerprint
> authentication on "com.dropbox.android.activity.lock.c" class.
>
> 2. We notice that the fingerprint method is implemented through
> FingerprintManager class.
>
> 3. Frida script was created to hook into "b" method in order to set
> the onAuthenticationSucceeded to "null".
>
> Recommendation
> Using fingerprint API in conjunction with the Android keyGenerator class.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> OWASP Mobile Top 10 2016:M1-Improper Platform Usage, CWE-287 - Improper Authentication
>
> ------------------------------------------
>
> [Vendor of Product]
> Dropbox
>
> ------------------------------------------
>
> [Affected Product Code Base]
> com.dropbox.android (Android: Google Play Store) - 98.2.2
>
> ------------------------------------------
>
> [Affected Component]
> Bio-metric(Fingerprint) authentication
>
> ------------------------------------------
>
> [Attack Type]
> Context-dependent
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [CVE Impact Other]
> Authentication Bypass
>
> ------------------------------------------
>
> [Attack Vectors]
> An attacker who is able to access on rooted Android device, could
> perform runtime manipulation on Bio-metric authentication
> which allow attacker to force the return value to be "true".
> A malicious application which may evade Google Play Store
> detection, could attack the Dropbox application on rooted device by
> hooking into Bio-metric mechanism in order to bypass authentication
> process.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Prathan Phongthiproek, Boonpoj Thongakaraniroj
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.