CVE-2024-23674

Name of the Vulnerable Software and Affected Versions Online-Ausweis-Funktion eID scheme in the German National Identity card through 2024-02-15

Description The issue allows authentication bypass by spoofing, enabling a man-in-the-middle attacker to assume a victim's identity and access government, medical, and financial resources. The attacker can also extract personal data from the card. This occurs due to a combination of factors, including insecure PIN entry and eid:// deeplinking. The victim must be using a modified eID kernel, which may happen if they are tricked into installing a fake version of an official app.

Recommendations For the Online-Ausweis-Funktion eID scheme in the German National Identity card through 2024-02-15, consider disabling the use of insecure PIN entry for basic readers and avoid using eid:// deeplinking until a secure version is available. Additionally, users should be cautious when installing apps and ensure they are from official sources to prevent the installation of a modified eID kernel. At the moment, there is no information about a newer version that contains a fix for this vulnerability.