“Day 8: Mobile Hacking — How I Cracked a Banking App’s PIN in 10 Seconds ($5000 Bug)”

A member of the iPhoneDevSDK forum has posted a story about how they were able to easily crack the PIN of a banking app, despite the app claiming to use military-grade encryption.
They found that the app stored PINs in plaintext in the iOS Keychain, and with a simple Frida script, they were able to bypass biometric authentication and access any account.
After demonstrating this vulnerability to the bank, they were paid $5000.
The poster emphasizes the importance of secure coding practices, especially when it comes to mobile apps, as these often have vulnerabilities through which attackers can quickly gain access.
Common vulnerabilities include hardcoded secrets, insecure local storage, and lack of certificate pinning, all of which were present in this example.

Fast Feed