Passkey implementation lacks signature counter to prevent clone attacks

Status: This content is read-only, or is not open for further replies.

SeToY

Guest

offline

OP
Jun 30, 2025
0
168

Hey there,

I was digging into the WebAuthn implementation and noticed that the xf_passkey table doesn’t store the authenticator’s signature counter.

Because there's no sign_count (or equivalent thereof), the server never checks whether the counter returned by the authenticator is strictly increasing although the library supports it. So XF seems to be currently vulnerable to replay-style assertion attacks and doesn't provide clone detection.

The WebAuthn spec explicitly...

Read more

Continue reading...

Show hidden low quality content

Status: This content is read-only, or is not open for further replies.

Facebook Reddit Pinterest WhatsApp Email Link

This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.

Accept Learn more…

Top Bottom