Reolink App Lock Screen Bypass 1. Reporting Information Name: Team Brrester 2. Overview of Vulnerabilities Vulnerability Title: app lock screen authentication bypass Date of Discovery: 2025.06.09 Discovery Location (URL or System Path): com.android.bc.MainActivity / com.android.bc.ForegroundLockActivity Vulnerability Type (CWE ID): CWE-288 (Authentication Bypass Using Alternate Path) Vulnerability Description: The lock feature of the Reolink Android app does not manage a global authentication state and instead relies solely on the Intent data passed during Activity invocation. A physical attacker with device access can use tools like ADB (Android Debug Bridge) to bypass the lock screen {ForegroundLockActivity} and directly launch the protected main screen {MainActivity}. This completely skips the authentication process, allowing unauthorized access to all data and functionalities within the app. 3. Details Products/Services Affected: Reolink app Product Version: 4.53.1.0.20250526 Vulnerable Components: com.android.bc.MainActivity / com.android.bc.ForegroundLockActivity Attack Vector: 1. Vulnerability in Locking Logic (ForegroundLockActivity.java): ForegroundLockActivity determines the following behavior based on the IS_APP_JUST_LAUNCH_KEY and IS_APP_NEXT_ACTIVITY_KEY values received from 'Intent'. This means that the activity behavior can be controlled by external input.