Stealing Trust: Unraveling Blind Message Attacks in Web3 Authentication

TL;DR

This paper uncovers a new security vulnerability in Web3 authentication called blind message attacks, demonstrating that most current implementations are at risk and proposing detection and protection tools to mitigate these threats.

Contribution

It introduces blind message attacks in Web3 authentication, develops Web3AuthChecker for vulnerability detection, and implements Web3AuthGuard in MetaMask for user alerts.

Findings

75.8% of Web3 authentication deployments are vulnerable

Web3AuthGuard detects 80% of attack scenarios

Two CVEs assigned for identified vulnerabilities

Abstract

As the field of Web3 continues its rapid expansion, the security of Web3 authentication, often the gateway to various Web3 applications, becomes increasingly crucial. Despite its widespread use as a login method by numerous Web3 applications, the security risks of Web3 authentication have not received much attention. This paper investigates the vulnerabilities in the Web3 authentication process and proposes a new type of attack, dubbed blind message attacks. In blind message attacks, attackers trick users into blindly signing messages from target applications by exploiting users' inability to verify the source of messages, thereby achieving unauthorized access to the target application. We have developed Web3AuthChecker, a dynamic detection tool that interacts with Web3 authentication-related APIs to identify vulnerabilities. Our evaluation of real-world Web3 applications shows that a staggering 75.8% (22/29) of Web3 authentication deployments are at risk of blind message attacks. In response to this alarming situation, we implemented Web3AuthGuard on the open-source wallet MetaMask to alert users of potential attacks. Our evaluation results show that Web3AuthGuard can successfully raise alerts in 80% of the tested Web3 authentications. We have responsibly reported our findings to vulnerable websites and have been assigned two CVE IDs.