Task #12980
Support #12933: [SCP ID :##6249##] : Mobile Pentest Remediation
Pentest - L6 - Local Biometric Authentication Bypass
Status: | Internal Testing | Start date: | May 10, 2022 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | Nurul Athira Abdul Rahim | % Done: | 100% | |
Category: | PCI DSS - Pentest | Spent time: | - | |
Target version: | - |
Description
At the time of assessment, LGMS security team successfully bypassed the application's local biometric authentication to gain access to sensitive data as an unauthenticated user.
Attackers can easily bypass local biometric authentication if no data returns from the authentication process. Additionally, the lack of enforcement of authentication at the remote endpoint allows attackers to bypass local authentication and query data from the remote endpoint directly.
Action Plan:
To check on session table
(Table : bib user security)
Related issues
History
#1 Updated by Najmi Pasarudin over 2 years ago
- Status changed from New - Begin Life Cycle to Pending SIT Deployment
- % Done changed from 0 to 90
Similar to Support #12968
#2 Updated by Najmi Pasarudin over 2 years ago
- Status changed from Pending SIT Deployment to Internal Testing
- Assignee changed from Najmi Pasarudin to Nurul Syahirah Md Nawi
Similar to Support #12968
#3 Updated by Nurul Athira Abdul Rahim about 2 years ago
- Status changed from Internal Testing to Development / Work In Progress
- Assignee changed from Nurul Syahirah Md Nawi to Najmi Pasarudin
#4 Updated by Najmi Pasarudin about 2 years ago
- Status changed from Development / Work In Progress to Internal Testing
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
- % Done changed from 90 to 100
Update Support #12968 comment #11
#5 Updated by Nurul Athira Abdul Rahim over 1 year ago
From Najmi :
Hi Athira,
Attached is response image,L1_result20220718.png.
Test steps for the attached error:
Access mobile apk
Login using fingerprint login
Bypass login password page - requires Mobile Team help
Access Own account transfer or any transaction module
Expected result, get error "Please proceed to normal login."
#6 Updated by Rahmat Aina Nadia over 1 year ago
- File fingerprint_bypasslogin_L6.jpg added
Hi Athira,
mobile has tested this scenario.
However, we didnt get the expected error "Please proceed to normal login."
We get "Service is currently Unavailable". Please refer to the image attached.