CVE-2024-31695 is a critical security vulnerability identified in the Binance: BTC, Crypto and NFTS mobile application, specifically version 2.85.4. The vulnerability arises from a misconfiguration in the fingerprint authentication mechanism, which is intended to provide biometric security for user authentication. This flaw allows an attacker to bypass the fingerprint authentication process when adding a new fingerprint to the device or app, effectively circumventing security controls without requiring any privileges, user interaction, or prior authentication. The vulnerability is classified under CWE-863 (Incorrect Authorization), indicating that the application fails to properly enforce authorization checks during fingerprint enrollment. The CVSS v3.1 base score is 9.8 (critical), reflecting the vulnerability's high impact on confidentiality, integrity, and availability, combined with its ease of remote exploitation (attack vector: network, no privileges or user interaction needed). Although no public exploits have been reported yet, the severity and nature of the flaw make it a prime target for attackers aiming to gain unauthorized access to cryptocurrency wallets and NFT assets managed via the app. The lack of available patches or mitigations from the vendor at the time of publication further exacerbates the risk. This vulnerability threatens the security of users' digital assets and could lead to theft, unauthorized transactions, and loss of trust in the platform.

The impact of CVE-2024-31695 is severe for organizations and individual users relying on the Binance app for cryptocurrency and NFT management. Successful exploitation enables attackers to bypass biometric authentication controls, granting unauthorized access to user accounts and wallets. This can lead to theft of cryptocurrencies, unauthorized transfers, and compromise of sensitive personal and financial data. The integrity of transactions and availability of user accounts are also at risk, potentially causing financial losses and service disruptions. For organizations, this vulnerability could undermine customer trust, lead to regulatory scrutiny, and cause reputational damage. Given the critical nature of the flaw and the high value of assets managed through the app, the threat poses a significant risk to the global cryptocurrency ecosystem. The absence of known exploits in the wild currently provides a limited window for proactive defense, but the ease of exploitation and high impact necessitate urgent attention.

To mitigate the risks posed by CVE-2024-31695, users and organizations should take immediate and specific actions beyond generic advice: 1) Temporarily disable fingerprint authentication within the Binance app until a vendor patch is released. 2) Use strong alternative authentication methods such as multi-factor authentication (MFA) with hardware tokens or authenticator apps. 3) Monitor account activity closely for any unauthorized access or suspicious transactions and enable transaction alerts. 4) Restrict app permissions and avoid using the app on devices that are not fully secured or updated. 5) Educate users about the risk and encourage them to report any anomalies promptly. 6) Follow Binance’s official channels for updates and apply security patches immediately once available. 7) Consider using hardware wallets or cold storage solutions for high-value assets to reduce exposure. 8) Implement network-level protections such as IP whitelisting and anomaly detection for organizational accounts. These targeted measures will help reduce the attack surface and protect assets until the vulnerability is fully remediated.