search

Nonononoki / Hendroid

Doujinshi Android App
https://f-droid.org/de/packages/org.nonononoki.hendroid/
Apache License 2.0
136 stars 10 forks source link

Password bypass vulnerability #49

Closed c4llv07e closed 2 years ago

c4llv07e commented 2 years ago

Password bypass vulnerability

I found a vulnerability with which you can log into hendroid, protected by a password with the "lock when restored from background" parameter. If you quickly switch between applications, you will not need to enter a PIN code, provided that it has already been entered in this session.

This is (probably) not a problem with the "delay" parameter, because it works when it is set to "no delay".

This is my first issue, so I might not have included something important. Ask anything.

Hendroid Version: 1.15.14 (184)

Device/Android Version: MI MAX 2/10 (custom ROM)

Issue details / Repro steps: 1) Open password-protected Hendroid. 2) Enter password (Important, not working on first start). 3) Exit and enter into app. 4) Quickly exit the app and return back. 5) Hendroid unlocked without password.

https://user-images.githubusercontent.com/38111072/144653383-16b1d4c7-476b-4cce-9c1c-18865f47063d.mp4

c4llv07e commented 2 years ago

Nevermind, this is a hentoid bug too.