Hi!
I was doing some tests to understand what would occur if the body of the message had been tampered and the attacker provided the same signature to the verify function. This snippet illustrates the basics of the attempt:
const token = String(req.header("Authorization"))
const { signature, body } = JSON.parse(Buffer.from(token, "base64").toString())
const tamperedBody = body + "X"
const tamperedToken = Base64.encode(JSON.stringify({
signature,
body: tamperedBody,
}))
const { address } = Web3Token.verify(tamperedToken)
console.log("Didn't brake, address is " + address)And, unfortunately, no exception is thrown. Also, what I find the most confusing part, an actual address is recovered from the payload! Fortunately it is not the same address that signed the message, but still, a valid address.
Am I missing something regarding web3 signatures? Isn't the whole point of signatures to guarantee that a given payload hasn't been tampered?
Hi!
I was doing some tests to understand what would occur if the body of the message had been tampered and the attacker provided the same signature to the verify function. This snippet illustrates the basics of the attempt:
And, unfortunately, no exception is thrown. Also, what I find the most confusing part, an actual address is recovered from the payload! Fortunately it is not the same address that signed the message, but still, a valid address.
Am I missing something regarding web3 signatures? Isn't the whole point of signatures to guarantee that a given payload hasn't been tampered?