search

tonkeeper / wallet

GNU General Public License v3.0
320 stars 80 forks source link

Unlimited passcode trials #20

Open zmxv opened 2 years ago

zmxv commented 2 years ago

Bug Type

Security

Reproduction steps

  1. Set up a wallet and a four digit passcode.
  2. Restart the wallet app and start entering wrong passcodes.

Actual result

A user can try passcodes without rate limits.

screenshot

Expected result

Rate limiting (with exponential backoff) should be enforced to prevent brute force attack. And passcode should not be limited to four digits only.

Suggested Severity

High

Device

Desktop (please complete the following information):

OS: [e.g. iOS] Browser [e.g. chrome, safari] Version [e.g. 22] Smartphone (please complete the following information):

Device: iPhone 13 Pro OS: iOS 15.6.1 Browser: Mobile Safari Version: Tonkeeper 2.6

Additional Context

No response

olyaMay commented 2 years ago

Hi, the issue have been registered in our system with internal TK-799. You will get a PR number when it will be fixed. Thanks!