-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication of merchant domain and details #1014
Comments
Hi @mimi89999 . I'm afraid I don't really follow your described attack scenario. What does it mean in step 3 for In general, it sounds like in your attack that |
Not exactly. In my case |
Thanks. I think my question still stands - what does it mean within the context of the Payment Request API to "relay the request" to you? |
If I understand the scenario, the fraud you describe would be possible with or without using payment request. Is that correct? Or are you indicating that payment request introduces a new attack surface? |
The difference is that now the total and list of items are displayed on the website and they should be trusted not more than any other content on the website. With payment requests that information could be displayed in some browser UI or banking web app and I fear that it might be difficult for users to evaluate how much they should trust that information that will be displayed there. |
If we stick to trust in the payment process, the user-signed transaction request should preferably include the domain name of the merchant. Since this part could be collected by the browser during SPC invocation, it is not possible to fake. This makes relaying (or stealing) authorizations much less useful, here assuming that verifiers check this parameter as well as claimed receive account etc. |
In that case it might vary greatly between payment processors. IIRC the spec doesn't say that the payment method provider should verify that. |
Fwiw, this issue was filed against Payment Request in general, and not SPC (https://github.com/w3c/secure-payment-confirmation) specifically. @mimi89999 if you are thinking of SPC specifically please let me know, but otherwise I'm assuming general Payment Request. |
Hello,
I was reading the spec and I don't really understand how the merchant domain or payment details are authenticated. How do you prevent such a scenario:
secure-legit-trusted-store.com
, adds a $1000 laptop to their cart and initiates a paymentsecure-legit-trusted-store.com
backend visitsbuy-crypto-online.com
and initiates a payment for $1000secure-legit-trusted-store.com
relays the request frombuy-crypto-online.com
, but changesdetails
toThe best laptop
secure-legit-trusted-store.com
relays the response tobuy-crypto-online.com
The text was updated successfully, but these errors were encountered: