fidentity Liveness Challenge not yet cracked!

fidentity Hacking Challenge

Description

fidentity helps digitize the identification of customers either on site or on line. Without the hassle of an app or additional hardware, ID documents can be scanned with a mobile phone. Liveness verified selfies and digital signatures are available. Artificial intelligence prevents fraud and ensures compliance. An automatic decision is available in real time to control the next step in the onboarding process.

The first validated submission to bypass the AI liveness check will receive CHF 4'000 (severity critical is required).

The submissions will be scored on the following criteria: Criticality, Scalability, Report Quality and Originality.

Beat the fidentity liveness check!

Rules

This challenge has a special program scope: Bypassing the “liveness” verification process

fidentity operate various services (platforms, services). But only the “liveness” verification process is in the scope of the challenge. All other domains or explicitly listed services are therefore not eligible for reward and do not fall under the Legal Safe Harbor Agreement.

Try to impersonate one of the target personas

Important

In case of a successful attempt an ID will be displayed, please note this ID in your report.

By participating in this challenge, Friendly Hackers undertake to document information about any vulnerability found exclusively via the platform's designated reporting form and not in any other places. They also agree to keep the found vulnerability secret for 90 days after reporting it on the platform. Finally, they undertake to upload to the platform any data from customers that they have obtained as part of the challenge and to delete any local copies afterwards and not to distribute them further. Staff and Judges are not eligible for prizes.

Hacking Methods and Rules

In participating in the program, Friendly Hackers agree not to use methods that would adversely affect the tested applications or their users. These include, but are not limited to:

  • Social engineering
  • Spamming
  • Phishing
  • Denial-of-service attacks or other brute force attacks
  • Physical attacks

Furthermore, Friendly Hackersmust adhere to the following rules:

  • Respect and adhere to the scope
  • Be professional in all interactions with one another and staff
  • Keep all communication to official channels only, Discord and DMs in Discord if sensitive
  • The GUID from the successful test/s must be included within the report

In addition to the prohibited hacking methods listed above, Friendly Hackers are required to immediately discontinue vulnerability scanning if they determine that their conduct will result in a significant degradation (negative impact on regular users or on the operations team) of the platform's or service's operations.

NOTE: Judges, fidentity and GObugfree staff are not eligible for rewards during the event.

Qualified vulnerabilities

Any design or implementation problem can be reported that is reproducible and affects security.

Typical examples:

  • Deep fakes
  • Spoofing
  • Cross Site Request Forgery (CSRF)
  • Cross Site Scripting (XSS)
  • Insecure Direct Object Reference
  • Remote Code Execution (RCE) - Injection Flaws
  • Information Leakage an Improper Error Handling
  • Unauthorized access to properties or accounts

Other examples:

  • Data/information leaks
  • Possibility of data/information exfiltration
  • Backdoors that can be actively exploited
  • Potential for unauthorized system use
  • Misconfigurations

Non-qualified vulnerabilities

The following vulnerabilities and forms of documentation are generally not wanted and will be rejected:

  • Startpages is (1, 2)
  • Attacks that require physical access to a user's device or network
  • Forms with missing CSRF tokens (unless the criticality exceeds CVSS level 5)
  • Self-XSS
  • The use of a library known to be vulnerable or publicly known to be broken (unless there is active evidence of exploitability)
  • Reports from automated tools or scans without explanatory documentation
  • Social engineering targeting individuals or entities of the organisation
  • Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
  • Bots, spam, bulk registration
  • Submission of best practices that do not directly result in an exploitable vulnerability (e.g., certificate pinning, missing security headers)
  • Use of vulnerable and "weak" cipher suites/ciphers
  • Missing Rate limiting without further security impact

Your Submission

For each submission that bypasses the liveness check, it is expected that the report includes technical detail and is of a quality that assists the teams to replicate the issue. We have provided below some guidance on what we require within the report. You may however lay out your report in whatever way you see fit as long as the following detail is provided.

In some cases, we may not be able to replicate some attacks where specialized software or hardware has been used; in these cases we require you to provide a recording of your successful test.

Summary

  • Give us a brief summary of what you have been able to achieve and how
  • The Persona used
  • The GUID from the successful test/s

Prerequisites

  • What is needed to replicate what you have done
  • Any specialized equipment, software and/or material?
  • Specific settings for software?

Detail

  • Provide a detailed step by step description of how to replicate what you have been able to achieve
  • Additionally, consider how would you increase the scale of the attack

Solution

  • Do you have any advice for fidentity on how to defend against the attack you have described or to mitigate against it? (including reference material to support your advice if possible)

Scopes

The following service(s) and application(s) may be tested. All other targets and third party services not listed here are not in scope.

Procedure

  1. Start looking for vulnerabilities, respecting the definitions in this program (scope, rules, ...).
  2. Report found vulnerabilities and support the platform and the customer in verifying them (Please mark the ID that will be displayed, at the end of the liveness check)
  3. Get points towards the leaderboard for confirmed, new vulnerabilities with a chance to win the top prizes for final leaderboard positions.

The organisation gives their approval for Friendly Hackers to use hacking methods based on the specified bug bounty program. Due to this consent, the criminal liability criterion of unauthorized obtaining/unauthorized use and thus the criminal liability of the Friendly Hackers with regard to the criminal offenses in Art. 143 Swiss Criminal Code (Unauthorised obtaining of data) and Art. 143bis Swiss Criminal Code (Unauthorised access to a data processing system) does not apply.

Bounty Levels

SeverityBounty
Critical4000
HighPoints
MediumPoints
LowPoints