210 – Security controls bypass or absence - Facial Recognition

Description

By using the F015 finding to obtain a token, it is possible to bypass facial recognition processes to enter application transactions, and likewise to accept or deny authorizations from a user.

Impact

- Log in to the allied portal as any user. - Approve or reject a users transactions.

Recommendation

Put in place for every resource with business-critical functionality a strong authentication process and ensure that every user attempting to access it is logged in.

Threat

Anonymous attacker from the Internet with a valid token.

Expected Remediation Time

450 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: P
• Attack complexity: H
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): H
• Integrity (VI): H
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 062 - Define standard configurations
• 266 - Disable insecure functionalities
• 273 - Define a fixed security suite

Fixes

• Go
• Java
• Python
• Scala
• Swift

Last updated

2024/02/16