#subdomainhijacking — Public Fediverse posts

@ScottHelme from https://scotthelme.co.uk/open-sourcing-passkeys-php-a-security-focused-webauthn-library-for-php/:

"It now requires an exact match or a true subdomain."

That is probably insufficient. Please read https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 by Dirk Balfanz (Google, screenshot of part of the entry below).

Google doesn't want potentially malicious (e.g. https://sites.google.com) or "forgotten" subdomains (https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Subdomain_takeover) to be able to handle passkeys.

As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.

PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in https://todon.nl/@ErikvanStraten/116595157772945666.

Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.

According to the RELATIONS tab in https://www.virustotal.com/gui/domain/report-uri.com your domain has (at least) 3.2K subdomains. Do you trust each of them?

#Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking

@ScottHelme from https://scotthelme.co.uk/open-sourcing-passkeys-php-a-security-focused-webauthn-library-for-php/:

"It now requires an exact match or a true subdomain."

That is probably insufficient. Please read https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 by Dirk Balfanz (Google, screenshot of part of the entry below).

Google doesn't want potentially malicious (e.g. https://sites.google.com) or "forgotten" subdomains (https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Subdomain_takeover) to be able to handle passkeys.

As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.

PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in https://todon.nl/@ErikvanStraten/116595157772945666.

Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.

According to the RELATIONS tab in https://www.virustotal.com/gui/domain/report-uri.com your domain has (at least) 3.2K subdomains. Do you trust each of them?

#Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking

@ScottHelme from https://scotthelme.co.uk/open-sourcing-passkeys-php-a-security-focused-webauthn-library-for-php/:

"It now requires an exact match or a true subdomain."

That is probably insufficient. Please read https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 by Dirk Balfanz (Google, screenshot of part of the entry below).

Google doesn't want potentially malicious (e.g. https://sites.google.com) or "forgotten" subdomains (https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Subdomain_takeover) to be able to handle passkeys.

As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.

PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in https://todon.nl/@ErikvanStraten/116595157772945666.

Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.

According to the RELATIONS tab in https://www.virustotal.com/gui/domain/report-uri.com your domain has (at least) 3.2K subdomains. Do you trust each of them?

#Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking

@ScottHelme from https://scotthelme.co.uk/open-sourcing-passkeys-php-a-security-focused-webauthn-library-for-php/:

"It now requires an exact match or a true subdomain."

That is probably insufficient. Please read https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 by Dirk Balfanz (Google, screenshot of part of the entry below).

Google doesn't want potentially malicious (e.g. https://sites.google.com) or "forgotten" subdomains (https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Subdomain_takeover) to be able to handle passkeys.

As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.

PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in https://todon.nl/@ErikvanStraten/116595157772945666.

Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.

According to the RELATIONS tab in https://www.virustotal.com/gui/domain/report-uri.com your domain has (at least) 3.2K subdomains. Do you trust each of them?

#Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking