Mitigating a same-device / cross-device security issue #329
Comments
|
Unfortunately, short-lived codes/URLs is an insufficient mitigation that can easily be circumvented by simple adaptations by the attacker. For example, an attacker might provide a static QR code to his website were then a redirect to a fresh auth request URL is performed. Or the QR code can be updated on a website. |
|
For now, it is the only one I see since even using browser API the devices have to be interconnected somehow (Bluetooth or other means) which is not the case for most of the holders' setups. Would you see other ways to mitigate this? EDITIn the case you state, the holder would authenticate for himself, the attacker can only trigger a casual authentication keeping holder privacy |
|
I don't know exactly how the browser API will handle this, but ideally, no persistent connection between the devices is needed - just a proof that they are in proximity. In the same-device flow, the problem can be mitigated with existing protocol features (essentially checking that the nonce matches the session that was started in the browser) as described here. For the cross-device flow, I don't see any mitigation other than OS/browser support for a secure cross-device transfer that includes an origin check. |
|
Do you know how current cross-device implementations solve the issue? As stated in the recommandations there are several ways to prevent session fixations, proximity being the best solution but also one with the higher costs. Would there be more cost effective solutions? Balancing practical security and pragmatism. |
In the current Chrome implementation, a qr code is used to establish an ephemeral bluetooth connection which then establishes a TCP connection via a relay server. There is no need to pre-establish bluetooth connections nor is the user really aware of bluetooth being used - using the FIDO CTAP hybrid protocol - this works regardless of the OS on either end and the user doesn't have to be logged in to the same account on desktop and mobile for it to work. It works for the majority of holders. It works exactly the same as cross device passkeys, which also use FIDO CTAP hybrid. see e.g. https://youtu.be/SWocv4BhCNg?si=GG-DjXmES90WQqML&t=146 |
They either don't or rely on less-than-ideal user-based solutions ("Only click OK if you got here from a secure page"). They may additionally use a-posteriori detection of such attacks. Having a closed ecosystem helps to reduce the potential impact (looking at banking solutions in the nordics here).
From all that I have seen so far, as soon as your ecosystem is open, proximity is the best one. User-based solutions are the easiest to deploy, but also notoriously insufficient. This should provide a comprehensive list of potential mitigations. |
Note that firefox ESR does not implement the FIDO CTAP hybrid protocol. The demo is impressive.
What would be the risk of not coming from a secure page?
Let's suppose the link has a lifetime of one minute, the attacker would have one minute to force the holder to open his authorization link by sending it either by email or text message. The victim would have to open and read the fishing message within that minute and be convinced to open the link to present his verifiable credential. Definitely the probability is non-zero but in my sense low enough to enable this kind of solution. Have you examples of working solutions enabling the proximity in open ecosystems? It might help to have such insights. |
It may be a phishing website. (Not that we should expect anyone to reliable judge whether a website is a phishing website or not.)
Suppose the link generated by the verifier is |
|
I would not say to change the nonce every minute but to have an expiration to the code used to reference the direct post request. The attack you reference would trigger an authentication to the verifier, the holder would keep his identity information private to the verifier relying party which would not be a leak. I do not see issues here. |
The problem is when the holder's information gets into an attacker controller session at the verifier. That is a leak. |
|
As I understand, the origin of the authentication is the holder browser, then the trust relationship between the holder and the verifier is not broken. There is no way the attacker can access identity information but a demand to the verifier which should be trusted. |
No, in the attack the origin of the authentication (I think you mean "the session at the verifier where the authentication was started"?) is the attacker's browser. |
|
Each browser has its session, if the attacker redirects the victim to the authorize URL, the session would be the one of the holder. On an other hand, the attacker can start the flow and enforce the victim to navigate to the response location of the attacker authorize request which I would mitigate by enabling this location to expire. Is it possible for the browser API to be compatible with not up-to-date mobiles? Is the link between the desktop browser and the mobile possible in all use cases (thinking about cross environments)? |
|
It would be beneficial to include the following in the QR code:
The Relying Party (RP) should bind the user-agent with the issued QR code in such a way that a scam attack would not succeed unless the adversary knows and configures their user-agent with the same data as the victim's user-agent. Edited: my comment is related to cross device only. |
If the binding of the nonce to the session is properly checked in same-device flows, this mitigates the attack. For cross-device flows, however, where the response is processed in a browser different than the one where the request was started, this mitigation cannot be applied. This is where the proximity check can help.
As above, expiration doesn't help, as the attack can be executed immediately after acquiring the authorization request. There is no need to replay a QR code or link that contains any elements that expire. (Also @peppelinux) |
I was discussing a scam attack. Below is an example of mitigation using a nonce within the QR code, where Alice is the attacker and Bob is the victim.
The expiration time (exp) mitigates multiple attempts to configure the user-agent, where the attacker tries to guess the user-agent configuration to match Bob's. This mitigation has two weaknesses:
|
I don't understand how this works. The whole problem with the cross device flow is that there's multiple devices involved (and hence multiple browsers involved, if there is a redirect back to the RP) even in the case where there isn't an attacker. |
CTAP is typically implemented in platforms, not user agents (though there are some exceptions). Firefox supports CDA on both Windows and macOS via the platform. Also, just to be super clear, the QR code for FIDO Cross-Device Authentication is optional, and does not contain any information about the actual WebAuthn or Digital Credential request. It is solely for establishing a secure relationship between the two devices. This is one of the reasons FIDO CDA + Digital Credentials API is the preferred method for digital presentation of a VDC. |
|
While not strictly a part of the protocol, a possible mitigation for cross-device phishing attacks is to ask the user to confirm details after the wallet has provided the credentials to the verifier using the
This method is not perfect as it relies on the user successfully assessing the information provided, but it provides an extra layer of security in situations where the user controls both devices. |
|
I think this technically works, it's one of the mitigations mentioned in the cross device BCP, but it's known to be a mitigation that doesn't really work in practice with the majority of users. |
There are security issues with same-device and cross-device flows where as stated in oid4vc_sectrust P-40 (https://openid.github.io/OpenID4VC_SecTrust/draft-oid4vc-security-and-trust.html#name-security-requirement-p-40) an attacker might share a QR code or a link to a victim that would authenticate for him.
The issue is said to be mitigated via the browser API (https://digitalcredentials.dev/docs/wallets/android/#the-provider-api) giving the ability to link a user session to a nonce in case of same-device but also with cross-device by enabling the different devices to communicate one with the other. (@jogu tell me if I am correct on this)
An other way to mitigate the issue would be to provide a short time to live for QR codes and links using the resource created for handling direct_post requests. During the direct_post requests the verifier would be enforced to check the validity of the request by verifying the expiration set on the before step creating the QR code or the link.
The solution would help in both ways, using browser API or not, preventing the authorization request share by setting a short expiration to the direct_post request associated with the verifiable credential demand.
There is a working version of verifier enabling this with little updates, here is the associated commit malach-it/boruta_auth@a104d2e
The text was updated successfully, but these errors were encountered: