[Webkit-unassigned] [Bug 273121] New: [WebAuthn] MakeCred with UV=true was sent twice+ under NFC transport in some conditions.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Apr 23 05:19:48 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=273121

            Bug ID: 273121
           Summary: [WebAuthn] MakeCred with UV=true was sent twice+ under
                    NFC transport in some conditions.
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: nuno.sung at authentrend.com

Created attachment 471067

  --> https://bugs.webkit.org/attachment.cgi?id=471067&action=review

wireshark_3_successfully_makeCred_response

MacOS intel at Monterey 12.7.5 and M1 at Sonoma 14.4.1
Safari: 17.4.1 and 17.5
NFC Card readers: ACR1581U, HID OMNIKEY 5022 CL
Authenticator: ATKey.Card NFC with FP sensor

Add security key passkey into a google account, what we observed through wireshark are
- the makeCred command with options "rk": true, "uv": true, so the UP flag can be gained by processing UV check, not only by NFC tap.
- the same makeCred command was sent twice in short time (in this case it's about 2~3 sec), this cause the previous successfully generated credential in authenticator will be overwritten immediately again. 
- But the RP in this case will just received the 1st .create() response, not the latest one.

The conditions to let this issue happen should be related below
- put the authenticator on reader first then put finger just after 1.5sec to let safari to trigger some retry mechanism.
- the exclude list size may affect the process time, but I can't tell if this is a key step.
- as attachment, you can see the authenticator returns 3 successfully makeCred response back due to there are 3 makeCred commands.
  - 1st command cost authenticator 2sec to process, due to 1.5 wait for finger on.
  - 2nd command cost authenticator 500ms to process
  - 3nd command cost authenticator 600ms to process

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240423/1a881f08/attachment.htm>

More information about the webkit-unassigned mailing list