Created
August 13, 2018 14:04
-
-
Save tanprathan/f5133651e438b2ad1b39172d52b56115 to your computer and use it in GitHub Desktop.
LINE CVE-2018-13434 Information
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
> [Ddescription] | |
> ** DISPUTED ** An issue was discovered in the LINE jp.naver.line application | |
> 8.8.0 for iOS. The LAContext class for Biometric (TouchID) validation | |
> allows authentication bypass by overriding the LAContext return Boolean | |
> value to be "true" because the kSecAccessControlUserPresence | |
> protection mechanism is not used. In other words, an attacker could | |
> authenticate with an arbitrary fingerprint. NOTE: the vendor indicates | |
> that this is not an attack of interest within the context of their | |
> threat model, which excludes iOS devices on which a jailbreak has | |
> occurred. | |
> | |
> ------------------------------------------ | |
> | |
> [Additional Information] | |
> The application implemented LAContext class on Biometric (TouchID) | |
> validation mechanism in LINE jp.naver.line (iOS: App Store Version | |
> 8.8.0) allows attacker to conduct runtime manipulation to bypass | |
> TouchID validation mechanism (Local authentication) by overriding the | |
> LAContext return Boolean value to be "true". Therefore invalid | |
> fingerprint on LINE authentication could be used to bypass the | |
> authentication checking in order to gain access into the app. | |
> | |
> POC:https://www.dropbox.com/s/jb1uoz0fsmujehn/LINE_BypassFingerprint.mp4?dl=0 | |
> | |
> Recommendation Implementing User Presence validation by using | |
> "kSecAccessControlUserPresence" attributes (Use the current TouchID of | |
> fingerprints when data saved to keychain. If current set changes, the | |
> TouchID evaluation fails) instead of using LAContext Class. | |
> | |
> ------------------------------------------ | |
> | |
> [VulnerabilityType Other] | |
> OWASP Mobile Top 10 2016:M4-Insecure Authentication, CWE-287 - Improper Authentication | |
> | |
> ------------------------------------------ | |
> | |
> [Vendor of Product] | |
> LINE Corporation | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Product Code Base] | |
> jp.naver.line (iOS: App Store) - 8.8.0 | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Component] | |
> Bio-metric(Fingerprint) authentication | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Type] | |
> Context-dependent | |
> | |
> ------------------------------------------ | |
> | |
> [Impact Information Disclosure] | |
> true | |
> | |
> ------------------------------------------ | |
> | |
> [CVE Impact Other] | |
> Authentication Bypass | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Vectors] | |
> An attacker who is able to access on jail-broken iOS device, could | |
> perform runtime manipulation on Bio-metric authentication which allow | |
> attacker to force the return value to be "true". A malicious | |
> application which may evade AppStore detection, could attack the LINE | |
> application on jail-broken device by hooking into Bio-metric mechanism | |
> in order to bypass authentication process. | |
> | |
> ------------------------------------------ | |
> | |
> [Has vendor confirmed or acknowledged the vulnerability?] | |
> true | |
> | |
> ------------------------------------------ | |
> | |
> [Discoverer] | |
> Prathan Phongthiproek, Parameth Eimsongsak | |
> | |
> ------------------------------------------ | |
> | |
> [Reference] | |
> https://www.dropbox.com/s/jb1uoz0fsmujehn/LINE_BypassFingerprint.mp4?dl=0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment