Profile pictures have to be downloaded before filtering #672
Labels
agenda+
Regular CG meeting agenda items
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, the spec says that profile pictures are downloaded after the account list is filtered (using login hint or domain hint). Therefore, only profile pictures for accounts that are not filtered are downloaded.
This provides a privacy attack if RP and IDP collude. Specifically, an IDP can list the same account N times each with a different label and picture URL. Because the accounts fetch is credentialed, the URL can also include identifying information. The RP can then request a hint corresponding to one of the N accounts, and the IDP will get exactly one fetch indicating what the hint was.
This way, an RP can communicate log_2(N) bits to the IDP before user confirmation.
To fix this, all account pictures need to be downloaded before filtering.
The text was updated successfully, but these errors were encountered: