Re: Migrating "A Well-Known URL for Changing Passwords" to WebAppSec from WICG from tag 636 on 2020-05-06 (public-webappsec@w3.org from May 2020)

From: tag 636 <tag636@gmail.com>
Date: Wed, 6 May 2020 15:55:49 +0200
To: "Theresa O'Connor" <hober@apple.com>
Cc: "Oda, Terri" <terri.oda@intel.com>, Mike West <mkwst@google.com>, Web Application Security Working Group <public-webappsec@w3.org>, Ricky Mondello <rmondello@apple.com>
Message-ID: <CAHCi+wJEKOGyh0n_6iWqM-MP5+8sveUVpVOfOnu-0z7VoNGZkg@mail.gmail.com>

//Would changing the spec to always use the registrable domain in the URL
address your concern?

If the logic is stricly focus on all level of the domain syntax, it could
be ok (I mean 3rd, 4th and even further), if it does check only the main
one, a 3rd domain take over could be seen as legitimate domain.

See the incidents with microsoft subdomain take over as example

Thanks, Regards

Carlo

On Wed, 6 May 2020, 15:43 Theresa O'Connor, <hober@apple.com> wrote:

> Hi,
>
> > I am also concerning that draft is not considering 3rd level domains
> > take over and how an attacker could advertise a password change URL to
> > get a Beef kind of hooking of clients in a bot fashion.
>
> Would changing the spec to always use the registrable domain in the URL
> address your concern?
>
> I've filed https://github.com/WICG/change-password-url/issues/20 to
> track this.
>
>
> Tess
>

Received on Wednesday, 6 May 2020 14:33:13 UTC