Missing documentation of an option needed to avoid a vulnerability allowing Passwordless to be bypassed if a developer doesn't double-check it on the server-side #350
Comments
bockp
changed the title
tcannonfodder
added a commit
to tcannonfodder/webauthn-ruby
that referenced
this issue
Sep 20, 2022
This fixes cedarcode#350, which pointed out a bug in certain browser/device combinations that allow bypassing the user's PIN if the `user_verfication: true` flag is not set. https://hwsecurity.dev/2020/08/webauthn-pin-bypass/
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As laid out in this article from August 2020:
https://hwsecurity.dev/2020/08/webauthn-pin-bypass/
Android 7+ (possibly other phone OS too ?) currently don't have a properly configured NFC system for Yubikeys when it comes to Passwordless login.
Their authentication system (as well as the above articles Browser-based exploit code) allows the browser-side authenticator to ignore the requirement of User Verification and send in a challenge that is recognized as valid, thus allowing a user to log in using just Username + NFC yubikey, without checking the UV at all.
You've already got one test in your test suite that has the proper code, so it is supported already:
webauthn-ruby/spec/webauthn/authenticator_assertion_response_spec.rb
Line 133 in 9544853
Just need a mention in this piece of documentation that if using a key as Passwordless the "user_verification: true" needs to be in the .verify() code or it won't properly check it's a valid Passwordless (User Presence + User Verification) login, and an exploit can bypass it.
https://github.com/cedarcode/webauthn-ruby#publickeycredentialwithassertionverifychallenge-public_key-sign_count
The text was updated successfully, but these errors were encountered: