On September 25th, the Blockstack team received a vulnerability report relating the the Blockstack App. The Blockstack App is our open-source application for authenticating and interacting with Blockstack apps.
The Blockstack team received this vulnerability on the morning of September 25th, and we pushed a fix for this vulnerability into our production environments on the same day.
The vulnerability was disclosed by the external security firm Seekurity, who was conducting a security audit for a third-party application built on the Blockstack platform. In the course of their research, they looked into the Blockstack App itself for vulnerabilities. They found a vulnerability that utilized Cross-Site Scripting (XSS) and Open Redirection. The vulnerability would allow an attacker to execute arbitrary JavaScript inside the Blockstack App itself.
The attack
Blockstack authentication is formed around the usage of JSON Web Tokens (JWTs) that contain the ‘payload’ for authentication requests and responses. When Blockstack authentication is initiated from a third-party app, the app generates a JWT that contains some of the basic information for authentication, such as the app’s name and icon, and where the app lives.
More information on the authentication request payload can be found in our documentation.
One field that is included in the authentication request is a redirect_uri field. This URL indicates where the user should be sent to after authentication has concluded. Although the Blockstack app also relies on secure cross-tab messaging to transit data from one place to another, the redirect_uri is used in environments (such as mobile), where secure cross-tab messaging is not reliable.
The root cause of the vulnerability was unsanitized usage of the redirect_uri. Because of this, the Blockstack App would execute JavaScript that looks like the following:
window.open(authenticationRequest.redirect_uri)
Calling window.open on an unsanitized string is vulnerable to cross-site scripting, because it will execute arbitrary JavaScript when the in the form of javascript:…. For example, a redirect_uri string in the form of javascript:console.log('hello'); would execute the code console.log('hello').
Mitigating the attack
Our fix for the vulnerability involved sanitizing the redirect_uri field to strip out any strings that could cause JavaScript execution. After our fix, executing arbitrary JavaScript is not possible.
We first pushed the fix to the hosted Blockstack App running at app.blockstack.org. Our open source code on Github was updated at the same time. We also pushed new versions of the browser extension version of the Blockstack App to the Chrome and Firefox extension stores on the same day.
We investigated the possibility of conducting a similar attack on the Blockstack Browser, our deprecated product for authenticating with Blockstack apps. We were not able to replicate the attack in the Blockstack Browser, because the Blockstack Browser’s codebase will make an extra check to ensure that the URI origin for the redirect_uri field matches the origin on the original application.
Vulnerability from iFrames
The external security firm was also able to find a vulnerability that could take advantage of an embedded iFrame of the Blockstack App. This vulnerability utilized the mechanism inside of the Blockstack App which allows the user to copy their Secret Key to their clipboard by clicking a button. When a special page was crafted that embedded the Blockstack App inside of their own web page, an attacker could take advantage of clipboard-based JavaScript APIs to steal the user’s seed phrase. This is a serious vulnerability, but was limited to clipboard hijacking following a specific set of steps the user could take, and could not execute arbitrary JavaScript.
To mitigate this issue, we have disabled any possibility of embedding the Blockstack App in an iFrame, through Content Security Policies and HTTP Headers.
Next steps
We take the security of our products very seriously. Privacy and security are top priorities of all products that we build, especially those used by end-users to handle and encrypt sensitive data.
In addition to our fixes for the original vulnerability, we are investigating the following additional measures to prevent attacks in the future:
- An internal audit of the Blockstack App codebase against common OWASP and other vulnerability vectors.
- To prevent supply chain attacks, we are investigating implementing LavaMoat into our developer environments for the Blockstack App.
- Mechanisms to mitigate the possibility of phishing attacks or DNS takeover exploits.