[webauthn] Extension's data security on assertion (#1940)

BeetLab has just created a new issue for https://github.com/w3c/webauthn:

== Extension's data security on assertion ==
## Proposed Change

Hi everyone!

I've read different specs on Passkeys topic and found lack of security considerations about the following.

Assume there's a web-browser asking user to authenticate with existing credentials using QR code. The user scans QR with their's mobile phone and it transfers signature as well as extensions responses to browser.
According to [FIDO Bluetooth spec](https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-bt-protocol-v1.2-ps-20170411.html#link-security)  section " Bluetooth pairing: Client considerations":
"Bluetooth pairing is "system-wide", then any application on that device might be able to interact with an Authenticator."

Does that mean, that PRF, largeBlob (or credBlob) extensions responses can be intercepted by malware on the users laptop that running web-browser?

Thanks. 

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1940 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 9 August 2023 12:40:55 UTC