Affected Versions: 5.0.0 - 5.0.6
Fix Version: 5.1.0
A number of security vulnerabilities were identified in Identity Vault version 5 that have been addressed as of version 5.1.0. We recommend for anyone using Identity Vault version 5 to update to the latest version to receive these fixes in your application.
Lockout Bypass - Medium Severity
After a number of failed attempts to unlock the vault, Identity Vault will clear the data from the vault automatically. It was identified that if the user closed the app prior to reaching this number of attempts, the counter used to determine if the vault should be cleared or not would get reset, allowing the user a potentially unlimited number of retries to unlock the vault without causing the vault to clear. We have addressed this issue, ensuring that the failed attempt counter is not reset between app reloads.
New Enrolled Biometrics Accepted - Low Severity
It was identified that if a user created a vault on a device and then using the system pin added additional biometric options to their device settings, those new biometrics could be used to unlock the vault. We have corrected this issue by enforcing that the vault is cleared whenever the biometric settings are changed on the device.
DeviceSecurityType Biometrics - Low Severity
One configuration option of Identity Vault is to specify what mechanisms are enabled to allow unlocking the vault. It was determined that if the developer specified Biometrics as their preferred DeviceSecurityType, on Android the device system pin was still enabled for unlocking the vault. We have corrected this within Identity Vault so that the system pin is no longer enabled when requesting only Biometrics be enabled.
For details on how vulnerabilities are rated, please refer to our Vulnerability Assessment Criteria (link coming soon). If you have any additional questions or concerns, please reach out to your Customer Success Manager or email firstname.lastname@example.org.