Banner object (1)

Hack and Take the Cash !

800 bounties in database
  Back Link to program      
25/10/2018
Crypviser Secure Messenger logo
Thanks
Gift
Hall of Fame
Reward

Reward

100 HKN 

In Scope

Scope Type Scope Name
ios_application https://hacken.live/2BY3A8k

Crypviser Secure Messenger

Crypviser is the most private messaging app, as it is based on Blockchain technology. The decentralized Crypviser Messenger lets you to enjoy private cam chat & voice calls with automated blockchain encryption.

__Scope

In Scope

Target | Type | Severity | Reward
---|---|---|---

https://hacken.live/2BY3A8k
  • DAPP Crypviser Secure Messenger for iOS

| iOS | Critical | Bounty

__Rewards

Severity (CVSSv3) | Reward
---|---
Critical | 3000$
High | 1500$
Medium | 300$
Low | 100$

__Focus Area

In-Scope Vulnerabilities


We are interested in next vulnerabilities:

  • Data Security at Local DB Level

  • Access to the data contained in the QR code

  • Pentest of http-server to transfer files to m1node.crypviser.network:1443 — only post request to transfer files to the server
  • Decryption, and interception of communications between users
  • MiTM attacks on the interception and substitution of public keys encryption for faking messages

  • Decryption of messages between the user and the bot (crypviser0000001@m1node.crypviser.network)

  • Authorization in the application without knowing the password
  • MiTM attack to establish a chat on behalf of another user
  • Conducting a successful unnoticed MiTM with data substitution between a lightweight blockchain client in the application and Witness (violation of the integrity of Merkel Tree hashes)
  • Carrying out attacks at the network level of application’s operation with blockchain nodes

Out-of-Scope Vulnerabilities


  • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
  • Sensitive data in URLs/request bodies when protected by TLS
  • Path disclosure in the binary
  • User data stored unencrypted on the file system
  • Lack of obfuscation is out of scope
  • OAuth & app secret hard-coded/recoverable in IPA
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

__Program Rules

  • Avoid compromising any personal data, interruption or degradation of any service .
  • Don’t access or modify other user data, localize all tests to your accounts.
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
  • In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
  • Only the first valid bug is eligible for reward.
  • Don’t disclose publicly any vulnerability until you are granted permission to do so.
  • Don’t break any law and stay in the defined scope.
  • Comply with the rules of the program.
  • The rewards will be paid out in HKN based on the current price.
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission.

FireBounty © 2015-2019

Legal notices