๐ด Security Vulnerability: PIN is hardcoded in the source code of the PC application
mvondracek opened this issue ยท 0 comments
mvondracek commented
- Severity: HIGH
- Vulnerability Class: hardcoded credentials
- Description:
SimpleAPDU
has hardcoded PIN=โ0x01 0x02 0x03 0x04โ. This means that all instances of this PC application used by all users have the same fixed PIN. Once this information leaks, the attacker knows the PIN of every user. A similar issue as in #5. - Exploit: Use a hardcoded PIN.
- Remediation: The PIN must not be hardcoded in the source code of the PC application. The application must obtain the PIN exactly once before the secure session (key agreement) with the applet on the card is established. The PIN must be discarded when the secure session is correctly established to prevent subsequent memory dump attacks.
- Location: simpleapdu/SimpleAPDU.java:125
Discovered by Team Emerald.