Saturday, December 9, 2017

Vulnerability in Wickr: Bypassing Password on Android

Summary

I have reported this issue directly to Wickr on Sep 12th to the Wickr team. Within few hours, they escalated the ticket to the devs and confirmed my findings & that they're fixing it.

The bug has been fixed for a while now, and you're urged to make sure you have the latest version.

Vulnerability Description

I have enabled the auth option to require a password. However, as soon as I switch to another app, it requires a lock immediately.

To bypass the lock, first I open recent apps context menu in Android and select Wickr. The lock screen shows. Then, I click on a Wickr message notification from the notification drop menu. It immediately opens the message itself and if I click the back button, it opens the main chat list and I can browse other chats. No password needed.

I also noticed that if I click the notification first, it does ask for a password, so first Wickr has to be selected from the recent apps, then click on the notification.


Bonus

The Wickr team was super friendly and offered me some freebies: tshirts, a hoodie, and stickers. The app is free and open source, and I'm quite happy to have been able to give back to the community, so the bonus stuff made me feel extra special.

Big thumbs up the Wickr team for their extremely fast response and fix to the issue.