Giter Club home page Giter Club logo

Comments (2)

shellster avatar shellster commented on June 23, 2024 1

The SQRL spec mitigates this attack by requiring the the SQRL client to reply only to the host from which the challenge originated. Origination is determined by the the QR code, and is HMAC'd to prevent tampering. Therefore, if your MITM website steals a valid QR code from Site A, when the client reads the QR code, it will see it is for Site A. The client won't respond to your website, it will respond directly to the legitimate website.

Now your attack is correct that it can keep checking the validity of the session, and in theory, perform a session hijack. However, the SQRL protocol specifically states (in the section I link) that for highly sensitive applications, you should require the SQRL authenticating agent to perform each sensitive action, which would bypass any session hijacking MITM attack you mentioned, because the client would only respond to authentic URL's which are provided via the HMAC'd challenge. Also, using standard secure programming practices, any serious account functionality should require re-authentication. So in this case the attack is certainly no worse than a typical man-in-the-middle attack against a password and username, in fact, it is far less serious, even in the worst case, because the attack is a single-session hijack.

In addition to the above, the section I linked to on the SQRL standard, also states that you should make the user validate the IP in the client before authenticating it, so an intelligent user should notice the request coming from an IP that you don't recognize. This attack could also be mostly mitigated by storing a never-expiring cookie on the client's machine that the server checks and validates the content of on authentication attempts (after initial registration).

I was a bit harsh in my initial message. The attack may not be fully mitigated, but it is hardly new, nor does it "break" SQRL. SQRL is still far more robust, and far better at defending a user's authentication data than the old password/username paradigm.

from qrljacking.

SymbianSyMoh avatar SymbianSyMoh commented on June 23, 2024

Hi @shellster, Sorry for my delayed reply, Yes for sure the attack is not that very new and there's some sources just walked around it but we went in a detailed way!

Also How you see in a summarized way that SQRL mitigates such attack?

from qrljacking.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.