Closed kaaboaye closed 2 years ago
Thanks for your comment. Im currently preparing update to fit this standard.
Will add domain
option which will fix this issue. Meanwhile, you can add a custom domain
field with your domain while signing a token and then check on server-side if there's a valid domain
in token's body.
What will stop me from putting website2
's domain in my website1
frontend? I'll still be able to easily create a valid token for website2
. Just use their domain while signing the token.
OAuth2 usually prevents it with callbacks allowlists.
@kaaboaye actually nothing will stop to do it , but the user always see what he is signing
Relying on users paying attention to what they are doing is not the best idea for security.
@kaaboaye Just curious, how are you doing auth?
OAuth2.
In one project we have auth0 and in another custom auth0 like service. But in general when using external authorization authorities like Google or Facebook OAuth2 a golden standard. It’s well designed, documented and battle tested.
On 7 Nov 2021, at 17:17, Gregory @.***> wrote:
@kaaboaye Just curious, how are you doing auth?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.
@kaaboaye How are you doing proof of ownership of a web3 wallet in the oauth flow?
We’re using only password and google authentication at the moment.
On 9 Nov 2021, at 03:45, John Jardine @.***> wrote:
@kaaboaye How are you doing proof of ownership of a web3 wallet in the oauth flow?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.
any update on this? or any way that I can use to mitigate this scenario in the meantime? thanks
notes
Disclaimer This is a quick algorithm that I just described while on the gym. It’s likely I’ve missed something
@kaaboaye @AntMarras Added domain option in new version
Ok, but what stops me from providing another, not mine domain on client side?
@kaaboaye Nothing. For now all the responsibility is on user's shoulders. We can only wait for EIP-4361 to be implemented in wallets, so the wallets will prevent this vulnerability.
Let's assume that there are two websites using
web3-token
:website1
which is under my controlwebsite2
which is under my competitors control.What stops me from performing the following scenario?
user
logs into mywebsite1
and sends it into my server.website2
using the validuser
's token created for mywebsite1
.website2
as theuser
I can steal confidential data.user
have no way of knowing about this attack unlesswebsite2
sends some notifications about for example new ip address being used.website2
also has no way of knowing about this attack since the token is freshly signed valid.