Blind Message Attacks

Overview

This page presents demonstrations of Blind Message Attacks, Blind Multi-Message Attacks, and Replay Attacks in Web3 Authentication.
In addition, we show how Web3AuthGuard detects blind message attacks.
Feel free to pause the video at any time to delve into the details.

Blind Message Attack.mp4

Blind Message Attack

In this demo, the malicious website asks the user to sign a message from another website (https://opensea.io). Once the user signs the message, the attacker can gain access to the user's account on the opensea.

Blind Multi-Message Attack.mp4

Blind Multi-Message Attack

In this demo, the malicious website asks the user to sign a carefully crafted message. Once the user signs the message, the attacker can obtain the user's identity on the three websites.

Replay Attack .mp4

Replay Attack

In this demo, the malicious website first obtains the user's signature through a blind message attack and uses the signature to obtain the user's token of the target website.

Then, the attacker replays the signature to obtain a new token.

Opensea.mp4

Mitigation Example 1

The user has logged in to opensea.io before.

Our modified MetaMask reminds the user that it has signed a similar message on opensea.io, and the website may have a blind message attack.

Foundation.mp4

Mitigation Example 2

The user has logged in to foundation.app before.

In this demo, a malicious website launched a blind multi-message attack, one of which was detected by our modified MetaMask.

Page updated

Google Sites

Report abuse