[Yoti] Pin Bruteforce Rate-Limiting Bypass (1000 USD)

We discussed this vulnerability as part of our weekly podcast on 22 March 2022

Trivial instance of client-sided validation, in this case to enforce a timeout they were using the device’s time. So by changing the time on the device you can make more attempts at the pin.