DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-VX5F-VMR6-32WF: Pinky Promise Protocol: Bypassing Biometric Auth in Capacitor

#security #cve #cybersecurity #ghsa

Pinky Promise Protocol: Bypassing Biometric Auth in Capacitor

Vulnerability ID: GHSA-VX5F-VMR6-32WF
CVSS Score: 5.5
Published: 2026-02-10

A critical flaw in the @capgo/capacitor-native-biometric Android implementation allowed attackers to bypass biometric authentication using simple instrumentation tools. By failing to bind the authentication event to a cryptographic operation, the plugin trusted the Java-layer callback blindly—a mechanism easily spoofed by frameworks like Frida.

TL;DR

The Android biometric implementation trusted the 'Yes, it's me' signal without checking the math. Attackers with local access (or malware) could use Frida to invoke the 'Success' callback directly, bypassing the fingerprint/FaceID check entirely. Fixed by binding the auth to a hardware-backed crypto object.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-287
  • Attack Vector: Local / Physical
  • Impact: Authentication Bypass
  • Exploit Status: POC Available (Trivial)
  • Platform: Android
  • Technology: Capacitor / Java

Affected Systems

  • Android Applications using Capacitor
  • @capgo/capacitor-native-biometric < 8.3.7
  • @capgo/capacitor-native-biometric: < 8.3.7 (Fixed in: 8.3.7)

Code Analysis

Commit: 1254602

feat(android): implement crypto object for stronger authentication

@@ -125,7 +125,8 @@
- biometricPrompt.authenticate(promptInfo);
+ Cipher cipher = getCipher();
+ BiometricPrompt.CryptoObject cryptoObject = new BiometricPrompt.CryptoObject(cipher);
+ biometricPrompt.authenticate(promptInfo, cryptoObject);
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Researcher Analysis: Exploitation involves standard Android instrumentation techniques (Frida) to invoke the Success callback.

Mitigation Strategies

  • Update to version 8.3.7 or later immediately.
  • Implement root detection and anti-frida checks in the native layer (defense in depth).
  • Never rely on client-side boolean flags for critical authentication; always use server-side session validation where possible.

Remediation Steps:

  1. Run npm update @capgo/capacitor-native-biometric in your project root.
  2. Verify package.json reflects version ^8.3.7.
  3. Rebuild your Android project: npx cap sync android && npx cap open android.
  4. Test the authentication flow on a real device.

References

Read the full report for GHSA-VX5F-VMR6-32WF on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)