On September 25th, the Blockstack team received a vulnerability report relating the the Blockstack App. The Blockstack App is our open-source application for authenticating and interacting with Blockstack apps.
The Blockstack team received this vulnerability on the morning of September 25th, and we pushed a fix for this vulnerability into our production environments on the same day.
Blockstack authentication is formed around the usage of JSON Web Tokens (JWTs) that contain the ‘payload’ for authentication requests and responses. When Blockstack authentication is initiated from a third-party app, the app generates a JWT that contains some of the basic information for authentication, such as the app’s name and icon, and where the app lives.
More information on the authentication request payload can be found in our documentation.
One field that is included in the authentication request is a
redirect_uri field. This URL indicates where the user should be sent to after authentication has concluded. Although the Blockstack app also relies on secure cross-tab messaging to transit data from one place to another, the
redirect_uri is used in environments (such as mobile), where secure cross-tab messaging is not reliable.
The root cause of the vulnerability was unsanitized usage of the
redirect_uri string in the form of
Mitigating the attack
Our fix for the vulnerability involved sanitizing the
We first pushed the fix to the hosted Blockstack App running at app.blockstack.org. Our open source code on Github was updated at the same time. We also pushed new versions of the browser extension version of the Blockstack App to the Chrome and Firefox extension stores on the same day.
We investigated the possibility of conducting a similar attack on the Blockstack Browser, our deprecated product for authenticating with Blockstack apps. We were not able to replicate the attack in the Blockstack Browser, because the Blockstack Browser’s codebase will make an extra check to ensure that the URI origin for the
redirect_uri field matches the origin on the original application.
Vulnerability from iFrames
To mitigate this issue, we have disabled any possibility of embedding the Blockstack App in an iFrame, through Content Security Policies and HTTP Headers.
We take the security of our products very seriously. Privacy and security are top priorities of all products that we build, especially those used by end-users to handle and encrypt sensitive data.
In addition to our fixes for the original vulnerability, we are investigating the following additional measures to prevent attacks in the future:
- An internal audit of the Blockstack App codebase against common OWASP and other vulnerability vectors.
- To prevent supply chain attacks, we are investigating implementing LavaMoat into our developer environments for the Blockstack App.
- Mechanisms to mitigate the possibility of phishing attacks or DNS takeover exploits.