Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Profile pictures have to be downloaded before filtering #672

Open
cbiesinger opened this issue Oct 30, 2024 · 0 comments · May be fixed by #670
Open

Profile pictures have to be downloaded before filtering #672

cbiesinger opened this issue Oct 30, 2024 · 0 comments · May be fixed by #670

Comments

@cbiesinger
Copy link
Collaborator

Currently, the spec says that profile pictures are downloaded after the account list is filtered (using login hint or domain hint). Therefore, only profile pictures for accounts that are not filtered are downloaded.

This provides a privacy attack if RP and IDP collude. Specifically, an IDP can list the same account N times each with a different label and picture URL. Because the accounts fetch is credentialed, the URL can also include identifying information. The RP can then request a hint corresponding to one of the N accounts, and the IDP will get exactly one fetch indicating what the hint was.

This way, an RP can communicate log_2(N) bits to the IDP before user confirmation.

To fix this, all account pictures need to be downloaded before filtering.

@cbiesinger cbiesinger added the agenda+ Regular CG meeting agenda items label Oct 30, 2024
@yi-gu yi-gu removed the agenda+ Regular CG meeting agenda items label Nov 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants