-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure that attacker can not use malicios email to user as an attack vector #26
Comments
Agree with this, I think there are some potential holes here as well. I posted some initial thoughts at https://filecoinproject.slack.com/archives/C02BZPRS9HP/p1673387411040389 but will right them up as a second pass here. I've at least confirmed that with the new access API (testing via https://github.com/web3-storage/w3ui/tree/46f731ce72ce52cf3210716d1a6845654f2c5819/examples/react/uploads-list) that I can:
This implies to me that I could put your email address in, wait for you to click the link (which you might do on accident thinking it was your own request, or out of curiosity because it's unclear what it's even about, or maybe even could happen automatically by way of an email client link preview or Safe Links style scanning service e.g./cf. ??) — regardless, now the principal identity I generated is active, but in a way the system attributes to you. Right now each identity the client generates seems in practice to be isolated from the others, but as I understand it in the future they will. At that point then via the flow above I could:
…which seems problematic! |
I'm still getting up to speed on the current implementation and in-the-works plans for all this, but as I mentioned in Slack there's probably a need to "close the loop" somehow. Maybe there's a cryptographic tooling in all the DID/UCAN stuff that magically sidesteps this? But without pondering that angle too much, my gut feel is that this does just need to be a more burdensome process for the end user:
|
There may be more here in general, but I've written up the specific vulnerabilities I see with a concrete proposal over at storacha/w3up#333 which is where any implementation would need to start (as well as improvements to w3ui components). |
This came up in storacha/w3up#318. I have not put whole lot of thought into this, but we need to make sure that attacker can't gain access to user account via phishing user into clicking a link they've send them to their email address.
In other words there must be:
The text was updated successfully, but these errors were encountered: