Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stream Audience Mix-Up #161

Closed
PedramHD opened this issue May 7, 2024 · 0 comments · Fixed by #173
Closed

Stream Audience Mix-Up #161

PedramHD opened this issue May 7, 2024 · 0 comments · Fixed by #173
Labels
sec-analysis spec:SSF vID-03 Address this issue before the v3 cutoff (June 15, 2024)

Comments

@PedramHD
Copy link

PedramHD commented May 7, 2024

The SSF specification does not require authentication of Receivers at Transmitters. Under certain conditions, this enables an attacker to get a SET for audience values of other Receivers.

Please note that this issue is part of the ongoing formal security analysis of the SSF specification. We already created a formal model of the specification, identified and formalized security properties, and described the assumptions (as also agreed upon with the Working Group) upon which the analysis is based here: https://github.com/openid/sharedsignals/files/15014966/2024-04-09_WP4.1a-Report.pdf

Setting

In the following, we briefly summarize the relevant assumptions from our report.

  1. There is no Receiver authentication, as the SSF specification has no requirements on authentication of the Receiver at the Transmitter.
  2. The audience values of the Receivers are not secret and, therefore, known to the attacker. (For example, the audience value can be a domain of the Receiver, a number that the Transmitter increases for each new Receiver, or some low-entropy value that is easily guessable.)
  3. Transmitters can distinguish between different Receivers when receiving requests to the management endpoint, e.g., by providing different URLs to each Receiver (these URLs essentially contain the audience value).
  4. Subjects are added to a stream based on authorization tokens contained in the request to the add subject endpoint.

Detailed Description

Under this setting, the attacker can trivially get SETs for the audience value of an honest Receiver: Let u be the identifier (i.e., the audience value) of an honest Receiver r at an honest Transmitter t. Without authentication, the attacker can create a new stream at t for the audience value u, and can therefore (at a later step) receive a SET with this audience. (The attacker would potentially need to first add subjects to the stream, which can happen for subjects for which the attacker is authorized). This breaks the confidentiality property described in our report (see Section 4.3). This would be particularly problematic if, upon creating a stream for u, the Transmitter would add certain subjects that only r is authorized to access information about.

Possible Fix

One possible fix is to mandate authentication at the management API, i.e., the Transmitter would use the authenticated identity value as the audience of the SET.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
sec-analysis spec:SSF vID-03 Address this issue before the v3 cutoff (June 15, 2024)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added language requiring authorization of stream management API openid/sharedsignals
3 participants
@FragLegs @timcappalli @PedramHD