Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • T TousAntiCovid Android
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 8
    • Issues 8
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 0
    • Merge requests 0
  • Deployments
    • Deployments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • TousAntiCovid sources
  • TousAntiCovid Android
  • Issues
  • #25
Closed
Open
Issue created Jun 02, 2020 by Mathieu Peyrega@_Matioupi_

Sybil attack implementation is almost trivial.

Implementation of the sybil attack is trivial if the CAPTCHA_API key is not bound to a given app package name. I don't know how it works for CAPTCHA api key and only have experience with google maps api keys, but for the later, you can bind the API key to some package name. Maybe it's not possible here because it's embedded in a webview if I understand correctly.

As a consequence, rebuilding the app with different package names and setting trivial time filters for "listening" allows to retrieve the time that you where contaminated if it happens you are.

Here screenshots of 3 instances of the app running in parallel on the same phone and perfectly registered to the official server (and broadcating their own EBID's)

Screenshot_20200602-180518

Screenshot_20200602-180256

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking