REMEMBER WHAT ANDREAS ANTONOPOULOS ๐
ONCE SAID ABOUT GOVERNMENT DOING IT?
INCOMPETENCE ON STEROIDS! AND MILLIONS OF TAX REVENUE BURNED๐ฅ!
OH, WAIT, THE #DIGITALEURO WALLET WILL BE SUPER CONVENIENT! ๐ฉ
๐๐ป๐๐ป
โHacking the #EU #AgeVerification app in under 2 minutes.
During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory.
1. It shouldn't be encrypted at all - that's a really poor design.
2. It's not cryptographically tied to the vault which contains the identity data.
So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app.
After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid.
Other issues:
1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying.
2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step.
Seriously @vonderleyen - this product will be the catalyst for an enormous breach at some point. It's just a matter of time.โ
via https://x.com/paul_reviews/status/2044723123287666921
๐๐ป๐๐ป
โโผ๏ธ๐ช๐บ The EU's new Age Verification app was hacked with little to no effort.
When you set it up, the app asks you to create a PIN. But that PIN isn't actually tied to the identity data it's supposed to protect. An attacker can delete a couple of entries from a file on the phone, restart the app, pick a new PIN, and the app happily hands over the original user's verified identity credentials as if nothing happened.
It gets worse. The app's "too many attempts" lockout is just a counter in a text file. Reset it to 0 and keep guessing. The biometric check (face/fingerprint) is a simple on/off switch in the same file. Flip it to off and the app skips it entirely.โ
via https://x.com/intcyberdigest/status/2044762941019295772
#bitcoin fixes this ๐๐งก
#EUafuera ๐ฅ
#REJECTCBDC
#NoDgitalEuro
#nostr
#ageverification
#surveillance
#control
cc: @Susie Violet @Efrat Fenigson @walker @preston @jack
ONCE SAID ABOUT GOVERNMENT DOING IT?
INCOMPETENCE ON STEROIDS! AND MILLIONS OF TAX REVENUE BURNED๐ฅ!
OH, WAIT, THE #DIGITALEURO WALLET WILL BE SUPER CONVENIENT! ๐ฉ
๐๐ป๐๐ป
โHacking the #EU #AgeVerification app in under 2 minutes.
During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory.
1. It shouldn't be encrypted at all - that's a really poor design.
2. It's not cryptographically tied to the vault which contains the identity data.
So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app.
After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid.
Other issues:
1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying.
2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step.
Seriously @vonderleyen - this product will be the catalyst for an enormous breach at some point. It's just a matter of time.โ
via https://x.com/paul_reviews/status/2044723123287666921
๐๐ป๐๐ป
โโผ๏ธ๐ช๐บ The EU's new Age Verification app was hacked with little to no effort.
When you set it up, the app asks you to create a PIN. But that PIN isn't actually tied to the identity data it's supposed to protect. An attacker can delete a couple of entries from a file on the phone, restart the app, pick a new PIN, and the app happily hands over the original user's verified identity credentials as if nothing happened.
It gets worse. The app's "too many attempts" lockout is just a counter in a text file. Reset it to 0 and keep guessing. The biometric check (face/fingerprint) is a simple on/off switch in the same file. Flip it to off and the app skips it entirely.โ
via https://x.com/intcyberdigest/status/2044762941019295772
#bitcoin fixes this ๐๐งก
#EUafuera ๐ฅ
#REJECTCBDC
#NoDgitalEuro
#nostr
#ageverification
#surveillance
#control
cc: @Susie Violet @Efrat Fenigson @walker @preston @jack
96โค๏ธ4๐ค2๐1
