[Openid-specs-fapi] Issue #543: Browser swap attack explained on 2022-09-28 (openid/fapi)
Nat
issues-reply at bitbucket.org
Sat Oct 1 07:36:50 UTC 2022
New issue 543: Browser swap attack explained on 2022-09-28
https://bitbucket.org/openid/fapi/issues/543/browser-swap-attack-explained-on-2022-09
Nat Sakimura:
Daniel explained this attack on 2022-09-29 call.
The specifics of \(a\) how the Attacker forwards the Authz res to itself and \(b\) stops the redirect were not given.
\(a\) is necessary for the attack. \(b\) increases the probability of success stopping the race condition.
Suggested ways to achieve \(a\)
1. Attacker controlled proxy server between the Victim and the AS
2. Leaking browser history/logs
Responsible: Daniel Fett
More information about the Openid-specs-fapi
mailing list