search

bytesbay / web3-token

Web3 Token is a new way to authenticate users in a hybrid dApps using signed messages. Implementation of EIP-4361.
381 stars 51 forks source link

what if malicious user gets access to signature and encode token with new expiry date? #13

Closed ethdev279 closed 2 years ago

ethdev279 commented 2 years ago

Hello @bytesbay,

First of all, Appreciated your idea and work!

The Issue:

I'm thinking if the hacker has access to a token (even expired ones) and he tries to decode the signature by looking at verify.js code you have and gets the signature. now he can set a new expiry date the way you did it in sign.js of course it is not possible to set expiry through the package but he can do it with his own code(since I believe, there's no jwt secret involved to encode). Then he can send this token to backend API which in turn gets validated by API(since it will never expire if he's greedy). won't this be a problem? or am I missing something? I think there should be a way to encode and decode messages with a secret. No?

@bytesbay thoughts?

bytesbay commented 2 years ago

@ethdev279 Added domain option in new version to prevent this vulnerability