Skip to content
This repository has been archived by the owner on May 1, 2021. It is now read-only.
/ fido2 Public archive

Man in the Browser Attack on FIDO2. Proof of concept. Just another school project.

Notifications You must be signed in to change notification settings

cyrillbolliger/fido2

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 

Repository files navigation

FIDO2 - What can a man in the browser do?

Analysis of the strength of a man in the browser against the FIDO2 authentication mechanism.

Yet another school project.

Abstract

This paper examines what harm a malicious browser extension can do to a FIDO2 authentication. Many investigations on the security of FIDO2 have been published but none of them scrutinizes browser extensions explicitly. However, browser extensions are fairly common and extremely powerful. Therefore, this study analyzes the threat of a malicious browser extension in theory and fortifies the findings with a practical proof of concept implementation. It identifies a rogue browser extension as a serious threat to the level of assurance of FIDO2 as the man-in-the-browser is able to register a forged public key and subsequently authenticate without user interaction at any time. Hence, the suitability of FIDO2, without an additional out of band verification, as authentication method in a high security context is questioned.

Read more

How to run the browser extension

  • Install Firefox, node 12, webpack 5 and web-ext 4.
  • Clone the repo.
  • Run npm run build to package the source.
  • Then execute web-ext run to lauch Firefox with the extension.
  • Navigate into the extensions console (!= the regular dev tools console).
  • Register with your FIDO2 device on webauthn.io (attestation type none), then login.
  • Check the extension console to see what happend.

About

Man in the Browser Attack on FIDO2. Proof of concept. Just another school project.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published