- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Sat, 16 Sep 2023 14:24:45 +0000
- To: public-webauthn@w3.org
While the implementation of this attack may be new, the attack itself has been understood for over 5 years. When webUSB initially was launched on Chrome, fido was not blocked and an attacker could trick a user into allowing webUSB for any seemingly legitimate reason and get direct access to an authenticator to perform a man-in-the-middle attack. WebUSP blocked taking to Fido authenticators and platforms like Windows blocked non-privileged applications from talking directly to authenticators as well. I will admit that the blocking of direct application access (eg malware) to authenticators varies a lot between platforms and interfaces. At the root of this is that if malware has the ability to a talk directly to the authenticator providing RPID and client data, or can at a minimum specify the RPID and challenge (token binding was a mitigation for this in some cases but is not implemented by Fido clients any more due to lack of browser support) Properly implemented authenticators must implement UP in a way that cannot be remotely triggered by malware. If you have found authenticators that can have UP triggered remotely by malware that is a significant problem for Fido certification. Preventing social engineering when the malware has control is hard. At that point likely the malware could just exfiltrate the session cookie after any sort of successful login unless it is bound to the TLS session, or proxy commands via the user agent. Hybrid authenticators at least provide an external UX for displaying the RPID forcing the attacker to trick the user into thinking they are logging into the real RP. As some users would notice that having a random gaming site ask for a bank credential is unusual. So yes if malware can talk directly to an authenticator or impersonate a browser privilege when talking to an OS webAuthn API that makes an active man-in-the-middle attack possible if the user can be socially engineered into providing UV and or UP. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1965#issuecomment-1722241236 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 16 September 2023 14:24:46 UTC