Payeer Android Application PIN Change Authentication Bypass Vulnerability

A vulnerability allowing improper access control in the PIN change authentication process has been identified in the Payeer Android application, version 2.5.0. This issue allows a local attacker with root access to the device to bypass the current PIN verification and directly change the authentication PIN. As a result, unauthorized users can reset the PIN without knowledge of the original one.

Impact

Exploitation of this vulnerability allows for unauthorized PIN changes in the Payeer application, potentially leading to unauthorized access to user accounts or funds.

Reproduction

To reproduce this vulnerability, log into the Payeer app on a rooted Android device. Navigate to the 'Change PIN' feature in the settings. Use a dynamic instrumentation tool like Frida to hook into the PIN verification method, bypassing the check for the current PIN. After attaching the Frida script, enter an incorrect PIN. The application will accept the input and allow the user to set a new PIN without knowing the original one.

Remediation

Payeer should implement server-side validation of PIN changes, requiring backend confirmation of the current PIN before allowing modifications. Additionally, the application could strengthen client-side protections by obfuscating sensitive methods and using native code to complicate dynamic instrumentation. Finally, incorporating runtime protections to detect root access and ensure application integrity could help mitigate such vulnerabilities.