Unlimited passcode trials

zmxv commented 2 years ago

Bug Type

Security

Reproduction steps

Set up a wallet and a four digit passcode.
Restart the wallet app and start entering wrong passcodes.

Actual result

A user can try passcodes as many times as possible.

Expected result

Rate limiting (with exponential backoff) should be enforced to prevent brute force attack. And passcode should not be limited to four digits only.

Suggested Severity

High

Device

Desktop (please complete the following information):

OS: [e.g. iOS]
Browser [e.g. chrome, safari]
Version [e.g. 22]

Smartphone (please complete the following information):

Device: iPhone 13 Pro
OS: iOS 15.6.1
Browser: Mobile Safari
Version: Tonkeeper 2.6

Additional Context

No response

menschee commented 2 years ago

Hi! This repo is intended for TON wallet app, not for Tonkeeper. If you have found any bugs with Tonkeeper app, please, open an issue in this repository

zmxv commented 2 years ago

Thanks for the pointer.

ton-blockchain / wallet-ios