• XSS.stack #1 – первый литературный журнал от юзеров форума

Reversing France's identity card

Отслеживать
c00nter

c00nter

RAID-массив
Пользователь
Регистрация
24.11.2022
Сообщения
53
Реакции
16
I've taken a like of this article: https://www.reversemode.com/2023/10/reversing-france-identite-new-french.html so I wanted to share it will all of you.

"France Identité" is the new french digital ID. This author was invited to a bug bounty program regarding this new system and was asked to perform a black-box type of testing.

The whole system relies on an app installed on the user's phone that leverages the communication between the actual card and the backend and said app was vulnerable to a MITM attack that allowed the author to read the encrypted messages sent along the way.

The infographics and explanation of the actual process is done quite well on the link provided and I highly recommend taking a look.

source -> https://www.reversemode.com/2023/10/reversing-france-identite-new-french.html
 
Пожалуйста, обратите внимание, что пользователь заблокирован
c00nter сказал(а):
I've taken a like of this article: https://www.reversemode.com/2023/10/reversing-france-identite-new-french.html so I wanted to share it will all of you.

"France Identité" is the new french digital ID. This author was invited to a bug bounty program regarding this new system and was asked to perform a black-box type of testing.

The whole system relies on an app installed on the user's phone that leverages the communication between the actual card and the backend and said app was vulnerable to a MITM attack that allowed the author to read the encrypted messages sent along the way.

The infographics and explanation of the actual process is done quite well on the link provided and I highly recommend taking a look.

source -> https://www.reversemode.com/2023/10/reversing-france-identite-new-french.html
the images in this article are not displayed, c00nter have you understood exactly the methodology to use?
 
Also the CISO got in contact with the creator recently:

Update from 06/10/2023 : following my publication, I’ve been in contact with France Identité CISO and they could provide more information on the measures they have taken in the light of these findings:

We would like to thank you for your in-depth technical research work on “France Identite” app that was launched in beta a year ago and for which you were rewarded. As you know, the app is now generally available on iOS and Android through their respective app stores.

Your work, alongside French cybersecurity agency (ANSSI) research, made us update and modify deeply the E2EE Secure Channel used between the app and our backend. It is now mostly based on TLS1.3. Those modifications were released only a few weeks after you submitted your work through our private BugBounty program with YesWeHack. That released version also fixes the three other vulnerabilities you submitted.

From the beginning of “France Identite” program, it was decided to implicate cybersecurity community, launching first a private BugBounty program. We are now happy to announce the BugBounty program will soon be publicly available, and the source code published in early 2024. You and all security researchers are welcome to participate.

Apparently measures have been taken to fix these issues already
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх