Incorrect Access Control in the Fingerprint Authentication Mechanism of "HomeServe - Home Repair" App

Product introduction

If you have a HomeServe plan, you can easily manage your HomeServe account from your mobile device. Simply log in to My Account with your HomeServe ID and you’ll have quick access to: View your existing HomeServe plans, Make payments, Update payment options, Go paperless, Reset HomeServe ID password, Add/cancel coverage, Schedule service, View service history and Chat with a HomeServe representative.

Affected version

3.3.4

Vulnerability description

The following vulnerabilities exist in the implementation of the fingerprint authentication function of this app.

1. Failure to disable the fingerprint function when a new fingerprint is added to the device, allowing an attacker to pass fingerprint authentication by entering a new fingerprint, which can lead to unauthorized access.
2. Failure to verify the user’s identity when disabling the fingerprint feature, allowing the integrity of the fingerprint protection to be compromised, which can cause fingerprint protection to fail.

Improvement suggestion

1. Disable fingerprint authentication when a new fingerprint is recognized on the device, prompt the user when he/she performs fingerprint authentication, and require the user to complete the authentication by other means. In terms of implementation, this can be done by using the “setInvalidatedByBiometricEnrollment” API of the key used in fingerprint authentication.
2. Verify the user’s identity when turning off the fingerprint function, and allow the user to turn off the fingerprint function only if the verification is passed.