Banner object (1)

Hack and Take the Cash !

676 bounties in database
25/10/2018

100 HKN 

Crypviser Secure Messenger Managed by HackenProof

Crypviser is the most private messaging app, as it is based on Blockchain technology. The decentralized Crypviser Messenger lets you to enjoy private cam chat & voice calls with automated blockchain encryption.

__Scope

In Scope

Target | Type | Severity | Reward
---|---|---|---

https://hacken.live/2BY3A8k
  • DAPP Crypviser Secure Messenger for iOS

| iOS | Critical | Bounty

__Rewards

Severity (CVSSv3) | Reward
---|---
Low | 131 HKN
Medium | 394 HKN
High | 1973 HKN
Critical | 3947 HKN

__Focus Area

In-Scope Vulnerabilities


We are interested in next vulnerabilities:

  • Data Security at Local DB Level

  • Access to the data contained in the QR code

  • Pentest of http-server to transfer files to m1node.crypviser.network:1443 — only post request to transfer files to the server
  • Decryption, and interception of communications between users
  • MiTM attacks on the interception and substitution of public keys encryption for faking messages

  • Decryption of messages between the user and the bot ([email protected])

  • Authorization in the application without knowing the password
  • MiTM attack to establish a chat on behalf of another user
  • Conducting a successful unnoticed MiTM with data substitution between a lightweight blockchain client in the application and Witness (violation of the integrity of Merkel Tree hashes)
  • Carrying out attacks at the network level of application’s operation with blockchain nodes

Out-of-Scope Vulnerabilities


  • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
  • Sensitive data in URLs/request bodies when protected by TLS
  • Path disclosure in the binary
  • User data stored unencrypted on the file system
  • Lack of obfuscation is out of scope
  • OAuth & app secret hard-coded/recoverable in IPA
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

__Program Rules

  • Avoid compromising any personal data, interruption or degradation of any service .
  • Don’t access or modify other user data, localize all tests to your accounts.
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
  • In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
  • Only the first valid bug is eligible for reward.
  • Don’t disclose publicly any vulnerability until you are granted permission to do so.
  • Don’t break any law and stay in the defined scope.
  • Comply with the rules of the program.
  • The rewards will be paid out in HKN based on the current price.
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission.
Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2018