Potential vulnerability with web3.personal.sign as authentication mechanism #1839
Comments
rmerom
changed the title
|
That's an interesting vector, thanks for bringing it up. Sites could help mitigate this by including obviously site-specific information in their challenge text, but we could probably also bake some security into the API here. We could potentially propose an expanded personal.sign protocol where the data to sign follows a certain format, and can specify a domain that it's valid on. If this domain field is recognized, MetaMask could refuse to sign it on another domain. Requires expanding the personal.sign data protocol, which we've wanted to do. There was an interesting proposal to use email-like headers in the sign payload, allowing specifying multiple rendering formats, for example, and any other metadata like this. #925 |
|
Yes, both sound like good ideas - the email headers, as well as the website adding site-specific information. I'll be happy to join the conversation on the first if one exists. However, I'm wondering if, for the time being, you think that MM should display any warning when using |
|
That sounds reasonable. I'm juggling a lot of things before I'm out for a couple weeks, if anyone wants to propose wording for the wording here, that could speed this along. |
|
thanks for filing the issue. we're following the
I think creating a new domain auth spec as dan proposed is the correct thing to do |
|
Seems like the server for mysensitiveinfo.com should manage the responsibility of generating unique messages (e.g. uuids) for the user to sign. Imposing a site-specific format introduces complexity in using signatures on the blockchain. For instance, imagine a scenario where you want to sign something like a content hash, and to submit that signature to a smart contract. All contracts would need to understand the site-specific policy in order to reason about a content hash and a signature. |
|
@chejazi can you elaborate on how mysensitiveinfo.com could avoid MITM attacks given the attack vector above? |
|
Need to distinguish between:
Both should be responsible for their own anti-replay logic, like nonces, utxos, or ttls. Yes it would be more complicated for an anti replay policy that worked on both contracts and offchain, this seems like a problem for a straw man to solve, we could add real security with a domain-locking format/policy. |
|
I might be wrong on this, but AFAIK there is no need for a replay protection for message signing (they're not transactions, they don't increment the nonce, etc). @rmerom I would deliver the message to sign over https so there is no possibility to MITM. And to avoid the potential for collisions I would use something like uuids. |
|
@FlySwatter +1 |
|
mysensitiveinfo.com could prevent that with proper CORS policy, e.g. using an "Access-Control-Allow-Origin: mysensitiveinfo.com" header in it's responses. That way, a login message (uuid, etc) could only be generated by visiting mysensitive.com directly. |
|
@chejazi I think we had a misunderstanding - I'm not suggesting malicious.com would embed/ajax a call to mysensitiveinfo.com . I suggest it'll contact mysensitive.com from its server, then relay the message to sign to the user of malicious.com . |
|
That could be solved with sessions. Say my browser has a cookie session with mysensitiveinfo.com. Stored in that session data (server side) is the message it gives to the user to sign. Then when the user submits the signed message, it can validate that the message is part of that user's session (and there is no threat of spoofing around this). So even if malicious.com figured out the message generated for a user on mysensitiveinfo.com and got the user to sign it, it wouldn't matter because any sessions created from malicious.com's servers to mysensitiveinfo.com's servers would have different messages. |
|
NVM! I see your point. Please disregard previous message. Thanks for being patient :) |
|
@kumavis which |
|
@carver et al |
|
Hi. It's been a few years since this was brought up. Is there a newer spec that incorporates domain which solves this? Or is the solution to embed session related info into the request? |
Yes, but it's not backwards compatible. Both version 0 and 1 of EIP-191 include components that could be used to validate who generated the message for signing. Note that For this thread's reasons, and other incompatibility issues (like the awful way that |
|
If the Sign-in with Ethereum pull request is merged, then it should provide an improvement for cross-domain signing. |
Problem:
Suppose mysensitiveinfo.com uses
web3.personal.signfor authentication.malicious.com is another website that lures users into authenticating. When a user asks for a challenge message for her to sign for address A, malicious.com's server requests a similar challenge for A from mysensitiveinfo.com . malicious.com then relays the challenge to the user, gets the message signed and can now log into mysensitiveinfo.com .
Possible mitigation:
Have MetaMask emulate the same-origin policy by requiring messages that are to be signed to be prefixed with the page's domain name + some delimiter.
The text was updated successfully, but these errors were encountered: