Hacker News new | ask | show | jobs
by 8organicbits 217 days ago
Is there a nonce relay vulnerability here? You try to verify your email with site A. Site A starts an email verification with site B. Site B sends a nonce to A, A relays the nonce to the user. The user generates the proof, sends it to A. Then A sends it to B.
1 comments
callahad 217 days ago
Step 5.2; the browser binds the KB-JWT to the site it's on, so Site A would receive a JWT that is only valid for Site A.
link