Incorrect Access Control in the Fingerprint Authentication Mechanism of "Binance: Buy Bitcoin & Crypto" App

Product introduction

Binance is a world-leading cryptocurrency trading platform that provides low-fee trading services and supports more than 200 cryptocurrencies such as Bitcoin, Ethereum, Chainlink, and Cardano. Users can easily buy and sell cryptocurrencies and enjoy 24/7 customer support and currency price alerts. In addition, Binance also provides high-yield cryptocurrency deposit and staking services, where users can earn interest and even spend at more than 50 million merchants around the world through the Binance card. Whether you are a novice or a professional trader, Binance provides a simple and easy-to-use interface to meet the needs of different users.

Affected version

2.85.4

Vulnerability description

The following vulnerability exists in the implementation of the fingerprint authentication function of this app.

1. Failure to disable the fingerprint function when a new fingerprint is added to the device, allowing an attacker to pass fingerprint authentication by entering a new fingerprint, which can lead to unauthorized access.

Improvement suggestion

1. Disable fingerprint authentication when a new fingerprint is recognized on the device, prompt the user when he/she performs fingerprint authentication, and require the user to complete the authentication by other means. In terms of implementation, this can be done by using the “setInvalidatedByBiometricEnrollment” API of the key used in fingerprint authentication.