Re: [w3c/payment-handler] Reduce risk of timing attack on canmakepayment (Issue #415) from Stephen McGruer on 2023-04-29 (public-webpayments-specs@w3.org from April 2023)

From: Stephen McGruer <notifications@github.com>
Date: Sat, 29 Apr 2023 10:10:03 -0700
To: w3c/payment-handler <payment-handler@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-handler/issues/415/1528831370@github.com>

Thanks Ian! (cc @rsolomakhin )

cc @johannhof - this is similar to other network attacks we've been discussing over the last few months, so I thought you should be aware. The attack is roughly:

**Attackers**: colluding websites flowers.example and tracker.example

**Pre-requisite**: tracker.example has registered a web-based payment app, by creating a PaymentRequest object for https://tracker.example and calling `show()` on it. This will show UI (once https://github.com/w3c/payment-handler/issues/416 is addressed), but it only has to happen once and even if the user closes the modal the app will still be installed. This does not need to happen on tracker.example, it can be initiated from any website.

**Attack**:

1. User visits flowers.example
2. flowers.example issues a `fetch()` to tracker.example, saying "I am flowers.example, and I am about to create a Payment Request"
- tracker.example's server makes note of this request, and also records the IP address, geolocation, etc
3. flowers.example creates a `PaymentRequest` object with a `supportedMethods` of https://tracker.example
- This does not show any UI (because they have not called `show()`).
4. Chrome sends a "canmakepayment" event to the service worker for tracker.example's web-app
5. The tracker.example service worker receives the "canmakepayment" event (which contains no data about flowers.example or the user, see https://github.com/w3c/payment-handler/issues/413), but is in a 'first party' context.
6. The tracker.example service worker issues a `fetch()` to tracker.example, saying "I just received a canmakepayment event"
- This fetch includes cookies for tracker.example, for example a tracking identifier id=abcd1234
- tracker.example's server makes note of this request, and also records the IP address, geolocation, etc.
7 . The tracker.example server joins the two network-side logs, and concludes that user abcd1234 is visiting flowers.example

(repeat attack across other colluding websites, allowing the user to be tracked across the web).

--
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-handler/issues/415#issuecomment-1528831370
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/payment-handler/issues/415/1528831370@github.com>

Received on Saturday, 29 April 2023 17:10:08 UTC