Re: [webauthn] Code Injection vulnerability from client side (#1965) from Aditya Mitra via GitHub on 2023-09-17 (public-webauthn@w3.org from September 2023)

From: Aditya Mitra via GitHub <sysbot+gh@w3.org>
Date: Sun, 17 Sep 2023 02:25:37 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1722371914-1694917535-sysbot+gh@w3.org>

I feel you misunderstood the attack procedure. The user is not tricked into Self-XSS. The attacker performs a Self-XSS on himself so that he can recover the challenge and RP ID from the browser. This is then sent to a trojan running in the background in the user's machine which just prompts the user for UP or UV. As the user gives the same, the signed challenge and authenticator data is sent back to the attacker via the trojan. Here, the user is not entering any code on the browser console.

-- 
GitHub Notification of comment by AdityaMitra5102
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1965#issuecomment-1722371914 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Sunday, 17 September 2023 02:25:39 UTC