Skip to content

Instantly share code, notes, and snippets.

@tanprathan

tanprathan/CVE-2018-13434.txt

Created August 13, 2018 14:04
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tanprathan/f5133651e438b2ad1b39172d52b56115 to your computer and use it in GitHub Desktop.
Save tanprathan/f5133651e438b2ad1b39172d52b56115 to your computer and use it in GitHub Desktop.
Download ZIP
LINE CVE-2018-13434 Information
Raw
CVE-2018-13434.txt
> [Ddescription]
> ** DISPUTED ** An issue was discovered in the LINE jp.naver.line application
> 8.8.0 for iOS. The LAContext class for Biometric (TouchID) validation
> allows authentication bypass by overriding the LAContext return Boolean
> value to be "true" because the kSecAccessControlUserPresence
> protection mechanism is not used. In other words, an attacker could
> authenticate with an arbitrary fingerprint. NOTE: the vendor indicates
> that this is not an attack of interest within the context of their
> threat model, which excludes iOS devices on which a jailbreak has
> occurred.
>
> ------------------------------------------
>
> [Additional Information]
> The application implemented LAContext class on Biometric (TouchID)
> validation mechanism in LINE jp.naver.line (iOS: App Store Version
> 8.8.0) allows attacker to conduct runtime manipulation to bypass
> TouchID validation mechanism (Local authentication) by overriding the
> LAContext return Boolean value to be "true". Therefore invalid
> fingerprint on LINE authentication could be used to bypass the
> authentication checking in order to gain access into the app.
>
> POC:https://www.dropbox.com/s/jb1uoz0fsmujehn/LINE_BypassFingerprint.mp4?dl=0
>
> Recommendation Implementing User Presence validation by using
> "kSecAccessControlUserPresence" attributes (Use the current TouchID of
> fingerprints when data saved to keychain. If current set changes, the
> TouchID evaluation fails) instead of using LAContext Class.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> OWASP Mobile Top 10 2016:M4-Insecure Authentication, CWE-287 - Improper Authentication
>
> ------------------------------------------
>
> [Vendor of Product]
> LINE Corporation
>
> ------------------------------------------
>
> [Affected Product Code Base]
> jp.naver.line (iOS: App Store) - 8.8.0
>
> ------------------------------------------
>
> [Affected Component]
> Bio-metric(Fingerprint) authentication
>
> ------------------------------------------
>
> [Attack Type]
> Context-dependent
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [CVE Impact Other]
> Authentication Bypass
>
> ------------------------------------------
>
> [Attack Vectors]
> An attacker who is able to access on jail-broken iOS device, could
> perform runtime manipulation on Bio-metric authentication which allow
> attacker to force the return value to be "true". A malicious
> application which may evade AppStore detection, could attack the LINE
> application on jail-broken device by hooking into Bio-metric mechanism
> in order to bypass authentication process.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Prathan Phongthiproek, Parameth Eimsongsak
>
> ------------------------------------------
>
> [Reference]
> https://www.dropbox.com/s/jb1uoz0fsmujehn/LINE_BypassFingerprint.mp4?dl=0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment