Biometric Authentication Bypass in Dropbox App for iOS
CVE-2018-12271

6.4MEDIUM

Key Information:

Vendor

Dropbox

Status
Dropbox
Vendor
CVE Published:
13 June 2018

What is CVE-2018-12271?

A security issue in the Dropbox app for iOS (version 100.2) enables an attacker to bypass biometric authentication via the LAContext class. This occurs because the kSecAccessControlUserPresence method is not utilized, leading to the potential for unauthorized access with a falsified 'true' return value for authentication. While the vendor has stated that this vulnerability is not within the scope of their threat model, it poses a risk on jailbroken iOS devices where the standard security mechanisms are compromised.

References

https://www.dropbox.com/s/n880ob3gtvfwryu/20180609_013320...
x_refsource_MISC
https://hackerone.com/reports/363544
x_refsource_MISC
https://gist.github.com/tanprathan/6e8ed195a2e05b7f9d9a34...
x_refsource_MISC

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Physical
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.