webauthn icon indicating copy to clipboard operation
webauthn copied to clipboard

Published 20 hours ago verified publisher icon duo-labs

Not update Authenticator.SignCount when cloned authenticator is detected

Open m9a opened this issue 4 years ago • 3 comments

@nicksteele @emlun I noticed that the code updates the SignCount even when a cloned authenticator is detected. I believe we should be returning immediately after the clone warning is true. wdyt?

https://github.com/duo-labs/webauthn/blob/master/webauthn/authenticator.go#L47

func (a *Authenticator) UpdateCounter(authDataCount uint32) {
	if authDataCount <= a.SignCount && (authDataCount != 0 || a.SignCount != 0) {
		a.CloneWarning = true
	}
	a.SignCount = authDataCount
}

m9a avatar Jul 24 '21 01:07 m9a

That seems reasonable to me. I haven't thought hard about it, but indeed I guess the current logic would likely decrease the stored signature count, which you probably don't want. So yes, returning early (or explicitly separating a.CloneWarning = true and a.SignCount = authDataCount into the mutually exclusive if-else branches) should prevent that.

I'm not a developer of this library, though, so the decision is not mine to make.

emlun avatar Jul 27 '21 09:07 emlun

@emlun thanks! I have created the MR: https://github.com/duo-labs/webauthn/pull/93. It's a fairly quick one :) I have added you and @nicksteele as the reviewers. I am new to the library and not quite sure if there are any active developers. Do you have any suggestions for reviewers?

m9a avatar Jul 30 '21 05:07 m9a

@MasterKale this one can be closed as it w as resolved by #93

james-d-elliott avatar Jan 21 '22 23:01 james-d-elliott