Open imax9000 opened 2 weeks ago
Hi @imax9000, I don't think we have seen an email about this to security@, though there may have been some mistake or oversight on our end. Either way, thanks for the report!
Date: Tue, 21 May 2024 08:21:54 +0100
Message-ID: <CABWTX-bgfz9yZhYnG3FCMmsFL2+4Ep1pDy_1DPWGgnYHAc+u-g@mail.gmail.com>
In case that helps you track down why you missed it.
I've reported this to security@bsky.app over two weeks ago and got no response. So it's probably not considered a security issue.
UI does not verify that the hostname the user entered at login actually corresponds to user's PDS. Combined with using a plain text input that is prone to accidental mistakes, it opens a possibility for exfiltrating account credentials of users of a targeted PDS.
An attacker can buy domains that are slight variations of a target PDS and point them to their own server. Whenever a user attempts to log in on a new device, if they misspell the hostname and it happens to match one of the attacker's - web UI will happily send
com.atproto.server.createSession
request with the credentials. To avoid raising suspicion, the attacker's server can then act a man-in-the-middle and forward all the traffic between the user and their actual PDS.