[Bug] Pre-selection of any Eve character is a security risk #30
Comments
DaneelTrevize
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
DaneelTrevize
changed the title
Bug
Following ESI issue #303 / SSO issue #10 discussion on tweetfleet Slack, it was agreed that any pre-selection of a character during SSO is a mechanism by which users may become complacent as to which character they're revealing they control on a given account.
Reproduction Steps
Have several characters on 1 Eve account.
Be redirected to SSO for any 3rd party app. The app will know which characterID this is intended to be for.
Note that during the SSO screen, the first character is pre-selected by CCP, no confirmation of this choice is needed.
Confirm any scope set presented, ignoring the character choice, and complete the SSO.
If this is not the intended character to be authenticated, the referring app now knows the differing expected and recieved characterIDs are both on the same single account.
Expected Behaviour
Any choice of character should have to be manually confirmed by the user, to avoid abusable bias in the reduction of 3 Eve characters to 1 OAuth response per account SSO referral.
The text was updated successfully, but these errors were encountered: