- From: crowgames <notifications@github.com>
- Date: Wed, 01 Apr 2020 04:22:53 -0700
- To: w3c/payment-request <payment-request@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 1 April 2020 11:23:06 UTC
Dear all! I spent the last 6 months performing a formal security analysis of the current state of the Web Payment APIs as my Master's Thesis. You can find the report of the analysis attached to the issue. Through that analysis 3 issues were observed. 1) An attack that resulted out of a faulty implementation of the retry mechanism in Chrome/an ambiguous definition of the retry mechanism in the specs. 2) A vulnerability that results out of the possibility to specify ambiguous information for a single payment method identifier in the methodData of a payment request. Especially since the spec does not imply what should happen in such a scenario (e.g. "last one wins" or "fails"). 3) A proposal of how to change the payment update event to prevent privacy issues concerning sending data to the merchant before payment intent was expressed. I hope that especially the second point could be tackled in the spec. I worry that potential future named payment methods or future developments in general could otherwise introduce major attack vectors. Have a nice day and stay healthy! [a_formal_security_analysis_of_the_web_payment_apis.pdf](https://github.com/w3c/payment-request/files/4414703/a_formal_security_analysis_of_the_web_payment_apis.pdf) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/payment-request/issues/903
Received on Wednesday, 1 April 2020 11:23:06 UTC