search

w3c / payment-method-manifest

Specification for Web Payments payment method manifests
https://w3c.github.io/payment-method-manifest/
Other
9 stars 13 forks source link

Remove "*" functionality for supported_origins #42

Closed danyao closed 4 years ago

danyao commented 4 years ago

In the same spirit of the privacy & security discussion of payment handlers at the WPWG virtual F2F [1], we should remove the "*" functionality from supported_origins because it poses an asymmetric phishing threat:

Preconditions:

  1. A malicious payment handler, e.g. phishypay.example, somehow manages to install itself and claims support for openpay.example
  2. openpay.example's payment method manifest specifies "*" for supported_origins

Attack:

  1. User visits a trusted merchant, e.g. goodshop.example
  2. The merchant uses a trusted payment method, e.g. openpay.example
  3. Browser invokes phishypay.example, which phishes user for their openpay.example credentials

This attack is dangerous because it doesn't require merchant collusion.

Removing "*" would require merchant collusion with phishypay.example to pull off the same attack, which is a higher bar for malicious actors.

[1] https://www.w3.org/2020/03/30-wpwg-minutes.html#item02

danyao commented 4 years ago

Chromium implementation bug: crbug.com/1070827