Crypviser Secure Messenger: Program Info

Triaged by HackenProof

Ended 1673 days ago

Crypviser  is the most private messaging app, as it is based on Blockchain technology.
The decentralized Crypviser Messenger lets you to enjoy private cam chat & voice calls with automated blockchain encryption.

In Scope

Target Type Severity Reward
  • DAPP Crypviser Secure Messenger for iOS
iOS Critical Bounty

In-Scope Vulnerabilities

We are interested in next vulnerabilities:

  • Data Security at Local DB Level
  • Access to the data contained in the QR code
  • Pentest of http-server to transfer files to — only post request to transfer files to the server
  • Decryption, and interception of communications between users
  • MiTM attacks on the interception and substitution of public keys encryption for faking messages
  • Decryption of messages between the user and the bot ([email protected])
  • Authorization in the application without knowing the password
  • MiTM attack to establish a chat on behalf of another user
  • Conducting a successful unnoticed MiTM with data substitution between a lightweight blockchain client in the application and Witness (violation of the integrity of Merkel Tree hashes)
  • Carrying out attacks at the network level of application’s operation with blockchain nodes

Out-of-Scope Vulnerabilities

  • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
  • Sensitive data in URLs/request bodies when protected by TLS
  • Path disclosure in the binary
  • User data stored unencrypted on the file system
  • Lack of obfuscation is out of scope
  • OAuth & app secret hard-coded/recoverable in IPA
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)
  • Avoid compromising any personal data, interruption or degradation of any service .
  • Don’t access or modify other user data, localize all tests to your accounts.
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
  • In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
  • Only the first valid bug is eligible for reward.
  • Don’t disclose publicly any vulnerability until you are granted permission to do so.
  • Don’t break any law and stay in the defined scope.
  • Comply with the rules of the program.
  • The rewards will be paid out in HKN based on the current price.
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission.