Crypviser  is the most private messaging app, as it is based on Blockchain technology. The decentralized Crypviser Messenger lets you to enjoy private cam chat & voice calls with automated blockchain encryption.

Scope

In Scope

Focus Area

In-Scope Vulnerabilities

We are interested in next vulnerabilities:

• Data Security at Local DB Level

• Access to the data contained in the QR code

• Pentest of http-server to transfer files to m1node.crypviser.network:1443 — only post request to transfer files to the server
• Decryption, and interception of communications between users

• MiTM attacks on the interception and substitution of public keys encryption for faking messages

• Decryption of messages between the user and the bot (crypviser0000001@m1node.crypviser.network)

• Authorization in the application without knowing the password
• MiTM attack to establish a chat on behalf of another user
• Conducting a successful unnoticed MiTM with data substitution between a lightweight blockchain client in the application and Witness (violation of the integrity of Merkel Tree hashes)
• Carrying out attacks at the network level of application’s operation with blockchain nodes

Out-of-Scope Vulnerabilities

• Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
• Sensitive data in URLs/request bodies when protected by TLS
• Path disclosure in the binary
• User data stored unencrypted on the file system
• Lack of obfuscation is out of scope
• OAuth & app secret hard-coded/recoverable in IPA
• Crashes due to malformed URL Schemes
• Lack of binary protection (anti-debugging) controls
• Snapshot/Pasteboard leakage
• Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

Program Rules

• Avoid compromising any personal data, interruption or degradation of any service .
• Don’t access or modify other user data, localize all tests to your accounts.
• Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
• In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
• Only the first valid bug is eligible for reward.
• Don’t disclose publicly any vulnerability until you are granted permission to do so.
• Don’t break any law and stay in the defined scope.
• Comply with the rules of the program.
• The rewards will be paid out in HKN based on the current price.
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission.