This page presents demonstrations of Blind Message Attacks, Blind Multi-Message Attacks, and Replay Attacks in Web3 Authentication.
In addition, we show how Web3AuthGuard detects blind message attacks.
Feel free to pause the video at any time to delve into the details.
In this demo, the malicious website asks the user to sign a message from another website (https://opensea.io). Once the user signs the message, the attacker can gain access to the user's account on the opensea.
In this demo, the malicious website asks the user to sign a carefully crafted message. Once the user signs the message, the attacker can obtain the user's identity on the three websites.
In this demo, the malicious website first obtains the user's signature through a blind message attack and uses the signature to obtain the user's token of the target website.
Then, the attacker replays the signature to obtain a new token.
The user has logged in to opensea.io before.
Our modified MetaMask reminds the user that it has signed a similar message on opensea.io, and the website may have a blind message attack.
The user has logged in to foundation.app before.
In this demo, a malicious website launched a blind multi-message attack, one of which was detected by our modified MetaMask.