ENXF NET
Administrator
Staff member
Administrator
Moderator
+Lifetime VIP+
S.V.I.P.S Member
S.V.I.P Member
V.I.P Member
Collaborate
Registered
- Joined
- Nov 13, 2018
- Messages
- 28,280
- Points
- 823
Hey there,
I was digging into the WebAuthn implementation and noticed that the
Because there's no
The WebAuthn spec explicitly...
Read more
Continue reading...
I was digging into the WebAuthn implementation and noticed that the
xf_passkey table doesn’t store the authenticator’s signature counter.Because there's no
sign_count (or equivalent thereof), the server never checks whether the counter returned by the authenticator is strictly increasing although the library supports it. So XF seems to be currently vulnerable to replay-style assertion attacks and doesn't provide clone detection.The WebAuthn spec explicitly...
Read more
Continue reading...