Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue D: Missing Checks in Send and Receive Function of the Server #473

Open
mpguerra opened this issue Feb 18, 2025 · 0 comments · May be fixed by #485
Open

Issue D: Missing Checks in Send and Receive Function of the Server #473

mpguerra opened this issue Feb 18, 2025 · 0 comments · May be fixed by #485
Milestone
FROST Demo Audit

Comments

@mpguerra
Copy link
Contributor

Location

Synopsis

The FROST demo server lacks proper validation in its message handling functions. Specifically, the send and receive functions do not verify whether the provided user.pubkey is a member of the current session. Additionally, the send function does not check whether the intended recipients are included in the session’s list of authorized public keys. Together, these oversights allow any user—even those not part of the session—to send and receive messages as if they were legitimate session participants.

Impact

An attacker can exploit the missing checks to inject unauthorized messages. However, the encryption of messages via the noise protocol does not allow an attacker to send messages to the participants of the session since the decryption would fail.

Preconditions

An attacker would need to know the session ID.

Severity

Low.

Remediation

We suggest implementing a session membership check in the send and receive functions. We suggest also checking whether the recipients are part of the session.
@mpguerra mpguerra added this to the FROST Demo Audit milestone Feb 18, 2025
@mpguerra mpguerra moved this to Sprint Backlog in FROST Feb 18, 2025
@conradoplg conradoplg linked a pull request Feb 18, 2025 that will close this issue
Open
@mpguerra mpguerra moved this from Sprint Backlog to Review/QA in FROST Feb 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
FROST
Status: Review/QA
Milestone
FROST Demo Audit
Development

Successfully merging a pull request may close this issue.

frostd: validate sender and recipient in send and receive ZcashFoundation/frost-zcash-demo
1 participant
@mpguerra