๐ด Security Vulnerability: PIN is hardcoded in the source code of the applet
mvondracek opened this issue ยท 0 comments
mvondracek commented
- Severity: HIGH
- Vulnerability Class: hardcoded credentials
- Description:
AlmostSecureApplethas hardcoded PIN=โ0x01 0x02 0x03 0x04โ. This means that all instances of this applet on all cards distributed to all users have the same fixed PIN. Once this information leaks, the attacker knows the PIN of every user. This is security through obscurity, which violates Kerckhoffs's principle. A similar issue as in #6. - Exploit: Use a hardcoded PIN.
- Remediation: PIN must not be hardcoded in the source code of the applet. The applet must obtain PIN exactly once during its installation on the card. Applet installation on the card must be carried out in a secure environment of the service provider (e.g., bank).
- Location: applets/AlmostSecureApplet.java:202
Discovered by Team Emerald.