Well I guess it just took 2 minutes to hack the Eu id app
Gotta watch those expensive numbskulls who blindly use AI lol :)
Paul Moore - Security Consultant (@Paul_Reviews)
Hacking the #EU #AgeVerification app in under 2 minutes.
During setup, the app asks you to create a PIN. After entry, the app encrypts it and saves it in the shared_prefs directory.
1. It shouldn't be encrypted at all - that's a really poor design.
It's not cryptographically tied to the vault which contains the identity data.
So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app.
After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid.
Other issues:
1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying.
2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step.
Seriously @vonderleyen - this product will be the catalyst for an enormous breach at some point. It's just a matter of time.
Waitman Gobble
@hello@rumbly.net
Hello Welcome To The New You I, me, mine, myself, we, us, ours, ourselves, you, your, yours, yourself, yourselves, he, him, his, himself, she, her, hers, herself, it, it's, itself, they, them, theirs, themselves
rumbly.net
Waitman Gobble
@hello@rumbly.net
Hello Welcome To The New You I, me, mine, myself, we, us, ours, ourselves, you, your, yours, yourself, yourselves, he, him, his, himself, she, her, hers, herself, it, it's, itself, they, them, theirs, themselves
rumbly.net
@hello@rumbly.net
·
4d ago
0
4
0
Conversation (4)
Showing 0 of 4 cached locally.
Syncing comments from the remote thread. 4 more replies are still loading.
Loading comments...