Re: [webauthn] Code Injection vulnerability from client side (#1965) from Aditya Mitra via GitHub on 2023-09-17 (public-webauthn@w3.org from September 2023)

From: Aditya Mitra via GitHub <sysbot+gh@w3.org>
Date: Sun, 17 Sep 2023 03:04:07 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1722377403-1694919845-sysbot+gh@w3.org>

This prompt appears when a WebAuthn call is made from a Python application, which is shown in the second line of the prompt.
![image](https://github.com/w3c/webauthn/assets/44285351/b208cbef-6cbe-4328-a075-51a80d698fbe)

However, this is prompt when WebAuthn is called from a legitimate browser. It shows the call was made from "msedge.exe"
![image](https://github.com/w3c/webauthn/assets/44285351/d433104c-7a03-432b-b81a-f8a3efd8809c)

Now it is clear that the webauthn.dll driver in windows already knows which application is making the webauthn call. I would suggest passing the same onto the authenticator by adding it to the publicKeyCredentials object. The authenticator might reflect the same on the ClientDataJSON, whose hash is signed by the authenticator. Hence, in this way, the RP can know what application was used to perform the WebAuthn call. Then, the RP server can decide whether to allow the user or not.

-- 
GitHub Notification of comment by AdityaMitra5102
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1965#issuecomment-1722377403 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Sunday, 17 September 2023 03:04:09 UTC