Duplicate Passkey implementation lacks signature counter to prevent clone attacks

[SeToY]

Affected version

2.3.6

Hey there,

I was digging into the WebAuthn implementation and noticed that the xf_passkey table doesn’t store the authenticator’s signature counter.

Because there's no sign_count (or equivalent thereof), the server never checks whether the counter returned by the authenticator is strictly increasing although the library supports it. So XF seems to be currently vulnerable to replay-style assertion attacks and doesn't provide clone detection.

The WebAuthn spec explicitly recommends verifying and storing the counter to detect cloned authenticators:

https://www.w3.org/TR/2021/REC-webauthn-2-20210408/

Cheers

Edit: Duplicated.

K

Thread 'Signature counter is not validated when validating passkey signature'

Apr 6, 2024

When validating a passkey signature in \XF\Service\Passkey\Manager::validate() the signature counter is not checked.

Suggested Fix
Store the signature counter in entity Passkey after each successful validation and validate it when validating a passkey signature.

• Kirby
• Replies: 0
• Forum: Bug reports