Task #12980

Support #12933: [SCP ID :##6249##] : Mobile Pentest Remediation

Pentest - L6 - Local Biometric Authentication Bypass

Added by Nurul Athira Abdul Rahim over 2 years ago. Updated over 1 year ago.

Status:Internal TestingStart date:May 10, 2022
Priority:NormalDue date:
Assignee:Nurul Athira Abdul Rahim% Done:

100%

Category:PCI DSS - PentestSpent time:-
Target version:-

Description

At the time of assessment, LGMS security team successfully bypassed the application's local biometric authentication to gain access to sensitive data as an unauthenticated user.

Attackers can easily bypass local biometric authentication if no data returns from the authentication process. Additionally, the lack of enforcement of authentication at the remote endpoint allows attackers to bypass local authentication and query data from the remote endpoint directly.

Action Plan:
To check on session table
(Table : bib user security)

fingerprint_bypasslogin_L6.jpg (32.8 KB) Rahmat Aina Nadia, March 29, 2023 14:59

Related issues

Related to BSN CDB Support - Task #12968: [SCP ID :##6249##] : Mobile Pentest Remediation L1 Missin... Internal Testing May 10, 2022

History

#1 Updated by Najmi Pasarudin over 2 years ago

  • Status changed from New - Begin Life Cycle to Pending SIT Deployment
  • % Done changed from 0 to 90

Similar to Support #12968

#2 Updated by Najmi Pasarudin over 2 years ago

  • Status changed from Pending SIT Deployment to Internal Testing
  • Assignee changed from Najmi Pasarudin to Nurul Syahirah Md Nawi

Similar to Support #12968

#3 Updated by Nurul Athira Abdul Rahim about 2 years ago

  • Status changed from Internal Testing to Development / Work In Progress
  • Assignee changed from Nurul Syahirah Md Nawi to Najmi Pasarudin

#4 Updated by Najmi Pasarudin about 2 years ago

  • Status changed from Development / Work In Progress to Internal Testing
  • Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
  • % Done changed from 90 to 100

Update Support #12968 comment #11

#5 Updated by Nurul Athira Abdul Rahim over 1 year ago

From Najmi :

Hi Athira,
Attached is response image,L1_result20220718.png.

Test steps for the attached error:
Access mobile apk
Login using fingerprint login
Bypass login password page - requires Mobile Team help
Access Own account transfer or any transaction module
Expected result, get error "Please proceed to normal login."

#6 Updated by Rahmat Aina Nadia over 1 year ago

Hi Athira,

mobile has tested this scenario.
However, we didnt get the expected error "Please proceed to normal login."
We get "Service is currently Unavailable". Please refer to the image attached.

Also available in: Atom PDF