Emil Lundberg <em...@yubico.com>: Dec 02 11:51AM +0100
What I mean is that even without XSS, if a user falls victim to a phishing
attack they'll have loaded a phishing page under the attacker's control.
The scenario is that the attacker is in control of JavaScript running in
the victim's non-FIDO browser, but not in control of the browser itself.
In this case the attacker's phishing webpage, and any script it serves,
will be loaded and running in the non-FIDO WebView on the victim's client
device, so any requests originating from that page will originate from the
victim's IP address (1.2.3.4 in your examples), not from the phishing
server's address (6.6.6.6). So if the phishing page uses AJAX requests to
interact with the IDP, it'll bypass the IP address validation, and the IDP
will return any secrets and cookies to the phishing page. If those secrets
and cookies are accessible to the attacker's JavaScript, the attacker can
intercept them without routing the requests through a proxy server. Thus
the attacker can initiate the detached FIDO flow and receive the
privateToken, call out to the FIDO Browser which will correctly complete
the FIDO authentication, and then use the compromised privateToken to
redeem a session secret. It doesn't matter if the authentication in the
FIDO browser is secure if the phishing page in the non-FIDO browser can
still acquire a session secret, or indeed other sensitive data, in the end.
On further thought, I don't think HttpOnly cookies is enough. I
*think* HttpOnly
should suffice to secure the initial session cookie, but the session cookie
is far from the only sensitive piece. While the attacker won't have direct
access to the session cookie, they can still exercise the cookie in AJAX
requests to access and exfiltrate sensitive data. Furthermore we should
assume the attacker has the victim's password, since they're on a phishing
page. They can also use AJAX to enroll new WebAuthn credentials under the
attacker's control - not by calling the WebAuthn API in the browser of
course, but by simply constructing the PublicKeyCredential structures in
pure JavaScript (or, if the server requires trusted attestation, by calling
out to a remote server with an approved authenticator connected). Then the
attacker can access the account directly from any other device, since they
now have full control of the password and a FIDO credential registered to
the account.
Did I miss something that would prevent these kinds of attack?
Emil Lundberg
Software Engineer | Yubico <http://www.yubico.com/>
|