search

otio-llc / security

Advanced security solutions for custom enterprise web applications
MIT License
2 stars 0 forks source link

fix: user is unable to pre-validate before biometric test creating a potential vulnerability #5

Open awentzel opened 1 year ago

awentzel commented 1 year ago

Bug Overview

Investigate if new requests include a notification that confirms the device user’s intent to biometrically authenticate.

Bug Details

In the event that a bad actor gains access to a user's credentials and attempts to login as the user, it is possible for the user to accidentally approve of the authentication request in the iValt app because the app immediately tries to use the users' phone biometrics to authenticate. To mitigate this scenario, the app should first ask the user if they want to approve or deny the request before trying to authenticate with biometrics.

Steps to replicate

Tap on any biometric request notification from the iValt app to open the app and see that it tries to authenticate without any user input.

awentzel commented 1 year ago

@KingOfTac please update with details you discovered.