It seems like by default the 0Auth Autorize page and perhaps other login pages do not have the Cross-Origin-Opener-Policy header present making the pages vulnerable to cross-site leaks.
Combined with social engineering, an attacker could get enough information and control from the child window to take over someone's account by redirecting to the wrong 0Auth app.
Solution
Add Cross-Origin-Opener-Policy: same-origin header to login pages
Alternatives/workarounds
One alternative would be to inject the following in all login pages to close the application whenever it's opened from any other window
The second one (probably the most secure and clean) is to use a K8 egress to add the header on all login pages; However the latter requires a little more complex deployment setup.
mooreds
commented
2 weeks ago
Cross-Origin-Opener-Policy header on login pages
Problem
It seems like by default the 0Auth Autorize page and perhaps other login pages do not have the Cross-Origin-Opener-Policy header present making the pages vulnerable to cross-site leaks. Combined with social engineering, an attacker could get enough information and control from the child window to take over someone's account by redirecting to the wrong 0Auth app.
Solution
Add Cross-Origin-Opener-Policy: same-origin header to login pages
Alternatives/workarounds
One alternative would be to inject the following in all login pages to close the application whenever it's opened from any other window
The second one (probably the most secure and clean) is to use a K8 egress to add the header on all login pages; However the latter requires a little more complex deployment setup.
Related