Crypviser is the most private messaging app, as it is based on Blockchain technology.
The decentralized Crypviser Messenger lets you to enjoy private cam chat & voice calls with automated blockchain encryption.
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
https://hacken.live/2BY3A8k
|
iOS | Critical | Bounty |
In-Scope Vulnerabilities
We are interested in next vulnerabilities:
- Data Security at Local DB Level
- Access to the data contained in the QR code
- Pentest of http-server to transfer files to m1node.crypviser.network:1443 — only post request to transfer files to the server
- Decryption, and interception of communications between users
- MiTM attacks on the interception and substitution of public keys encryption for faking messages
- Decryption of messages between the user and the bot ([email protected])
- Authorization in the application without knowing the password
- MiTM attack to establish a chat on behalf of another user
- Conducting a successful unnoticed MiTM with data substitution between a lightweight blockchain client in the application and Witness (violation of the integrity of Merkel Tree hashes)
- Carrying out attacks at the network level of application’s operation with blockchain nodes
Out-of-Scope Vulnerabilities
- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
- Sensitive data in URLs/request bodies when protected by TLS
- Path disclosure in the binary
- User data stored unencrypted on the file system
- Lack of obfuscation is out of scope
- OAuth & app secret hard-coded/recoverable in IPA
- Crashes due to malformed URL Schemes
- Lack of binary protection (anti-debugging) controls
- Snapshot/Pasteboard leakage
- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)
- Avoid compromising any personal data, interruption or degradation of any service .
- Don’t access or modify other user data, localize all tests to your accounts.
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
- In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
- Only the first valid bug is eligible for reward.
- Don’t disclose publicly any vulnerability until you are granted permission to do so.
- Don’t break any law and stay in the defined scope.
- Comply with the rules of the program.
- The rewards will be paid out in HKN based on the current price.
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission.