CVE-2024-31695
📋 TL;DR
A misconfiguration in the fingerprint authentication mechanism of the Binance mobile app allows attackers to bypass authentication when adding a new fingerprint. This affects users of Binance: BTC, Crypto and NFTS version 2.85.4 who rely on fingerprint authentication for app security.
💻 Affected Systems
- Binance: BTC, Crypto and NFTS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover allowing unauthorized cryptocurrency transactions, fund theft, and identity compromise.
Likely Case
Unauthorized access to cryptocurrency wallets leading to financial loss and potential exposure of sensitive user data.
If Mitigated
Limited impact if multi-factor authentication is enabled and transaction confirmations are required for withdrawals.
🎯 Exploit Status
Exploitation requires physical access to the device or ability to manipulate fingerprint enrollment process.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.85.5 or later
Vendor Advisory: https://zzzxiin.github.io/post/binance/
Restart Required: Yes
Instructions:
1. Open Google Play Store or Apple App Store 2. Search for Binance app 3. Update to latest version 4. Restart the application
🔧 Temporary Workarounds
Disable Fingerprint Authentication
allTemporarily disable fingerprint authentication and use PIN/password only
Open Binance app > Settings > Security > Disable Fingerprint Authentication
Enable Additional Security Layers
allEnable transaction confirmations and withdrawal whitelists
Open Binance app > Settings > Security > Enable Transaction Confirmations > Enable Withdrawal Address Whitelist
🧯 If You Can't Patch
- Disable fingerprint authentication immediately and use PIN/password only
- Enable withdrawal address whitelist and transaction confirmations for all transactions
🔍 How to Verify
Check if Vulnerable:
Check app version in settings. If version is exactly 2.85.4 and fingerprint authentication is enabled, the device is vulnerable.Check Version:
Open Binance app > Settings > About > Check VersionVerify Fix Applied:
Update to version 2.85.5 or later and verify fingerprint enrollment requires proper authentication.📡 Detection & Monitoring
Log Indicators:
- Multiple failed fingerprint attempts followed by successful enrollment
- Fingerprint enrollment from unrecognized device
Network Indicators:
- Unusual transaction patterns from previously inactive accounts
- Multiple login attempts from same device with different fingerprints
SIEM Query:
source="binance_logs" AND (event="fingerprint_enrollment" AND result="success" AND previous_attempts>0)