[Webkit-unassigned] [Bug 219434] New: [WebAuthn] Crash of the browser when rp.icon is too long and device is Yubikey (overflow?)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 2 09:28:53 PST 2020


https://bugs.webkit.org/show_bug.cgi?id=219434

            Bug ID: 219434
           Summary: [WebAuthn] Crash of the browser when rp.icon is too
                    long and device is Yubikey (overflow?)
           Product: WebKit
           Version: Safari 14
          Hardware: Macintosh
                OS: macOS 10.15
            Status: NEW
          Severity: Major
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: fortin81 at gmail.com

Created attachment 415228

  --> https://bugs.webkit.org/attachment.cgi?id=415228&action=review

Data to pass to navigator.credentials.create to reproduce

Hi,

I'm not sure of the implications of this issue, but I believe someone might be interested to have a look as this js webauthn call generates a crash on most current browsers.

The problem seems to happen with navigator.credentials.create(data) when providing the data with an rp.icon containing more than 8kb of base64 encoded png and using a Yubikey USB device (model "5 NFC" here), the browsers just crash.

An example data to reproduce, with rp.icon being of 9kb, is attached to this bug, I encoded it with JSON.stringify to save it.

It happens on Safari 14.0 (15610.1.28.1.9, 15610), Safari Technology Preview 116 (and also Chrome 87.0.4280.67, but not Firefox 83.0) on macOS Catalina 10.15.7.

If the USB device is not connected, the browsers don't crash.

I don't have any other USB webauthn device to check if this is specific to Yubikeys, but when using SoftU2F the call doesn't make the browsers crash.
I also don't have a windows or linux to check if this is specific to macOS.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201202/a6460e41/attachment-0001.htm>


More information about the webkit-unassigned mailing list