Boonpoj Thongakaraniroj

**Name of the Vulnerable Software and Affected Versions** org.telegram.messenger application version 4.8.11 **Description** The issue allows authentication bypass via runtime manipulation that forces a certain method's return value to `true`, enabling an attacker to authenticate with an arbitrary passcode. The vendor notes that this is not considered an attack of interest within their threat model, specifically excluding Android devices on which rooting has occurred. **Recommendations** For version 4.8.11, consider disabling the Passcode feature until a patch is available to prevent potential authentication bypass.

**Name of the Vulnerable Software and Affected Versions** org.telegram.messenger application version 4.8.11 **Description** An issue in the FingerprintManager class for Biometric validation allows authentication bypass through the callback method from `onAuthenticationFailed` to `onAuthenticationSucceeded` with null. This is because the fingerprint API in conjunction with the Android `keyGenerator` class is not implemented, allowing an attacker to authenticate with an arbitrary fingerprint. The vendor indicates that this is not an attack of interest within the context of their threat model, which excludes Android devices on which rooting has occurred. **Recommendations** For version 4.8.11, consider disabling the FingerprintManager class for Biometric validation as a temporary workaround until a patch is available. Restrict access to the `onAuthenticationSucceeded` and `onAuthenticationFailed` callback methods to minimize the risk of exploitation. Avoid using the fingerprint API in conjunction with the Android `keyGenerator` class until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** LINE application version 8.8.1 **Description** An issue in the LINE application allows authentication bypass via runtime manipulation. This manipulation forces a certain method's return value to `true`, enabling an attacker to authenticate with an arbitrary passcode. **Recommendations** For version 8.8.1, consider disabling the Passcode feature until a patch is available to prevent potential authentication bypass attacks.

**Name of the Vulnerable Software and Affected Versions** com.dropbox.android version 98.2.2 **Description** An issue in the com.dropbox.android application allows authentication bypass through the FingerprintManager class for Biometric validation. This is possible because the fingerprint API, in conjunction with the Android keyGenerator class, is not properly implemented, enabling an attacker to authenticate with an arbitrary fingerprint. The vendor notes that this issue is not considered a threat within their threat model, specifically excluding Android devices that have been rooted. **Recommendations** For version 98.2.2, consider disabling the FingerprintManager class for Biometric validation until a proper fix is implemented to prevent authentication bypass. Restrict access to the fingerprint API to minimize the risk of exploitation. Avoid using the fingerprint authentication method in the affected application until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** com.dropbox.android version 98.2.2 **Description** An issue in the Passcode feature allows authentication bypass via runtime manipulation, forcing a certain method's return value to `true`, enabling an attacker to authenticate with an arbitrary passcode. The vendor notes that this is not considered an attack of interest within their threat model, specifically excluding Android devices on which rooting has occurred. **Recommendations** For version 98.2.2, consider disabling the Passcode feature until a patch is available to prevent authentication bypass via runtime manipulation.