IdP in the middle attack

[TomCJones]

Here's a successful attack that appears (to me) to be an identify provider spoofing attack.
I think that we might need to add this to things like DC API and FedCM.
The quoted success rate is 50%

https://cybersecuritynews.com/threat-actors-impersonating-microsoft-oauth

"The researchers observed that while most campaigns impersonate generic enterprise applications, some attackers customize their lures based on specific software used in targeted industries, demonstrating a sophisticated understanding of their victims’ operational environments. The financial and operational impact has been substantial, with researchers documenting attempted account compromises affecting nearly 3,000 user accounts across more than 900 Microsoft 365 environments. Perhaps most concerning is the campaign’s confirmed success rate exceeding 50%, highlighting the effectiveness of this hybrid attack methodology that combines email-based social engineering with cloud application abuse."

[simoneonofri]

hi @TomCJones thank you. Would you like to talk in our meeting? With a bit on introduction, and undersntading if we can dosomething about it?

thank you!

https://github.com/w3c/securityig/blob/main/meetings/2025/2025-08-05_agenda.md

[simoneonofri]

As per today's discussion, with a cross-check with Zahra, this may be considered for FedCM, even if it is a UI issue.

[BigBlueHat]

@simoneonofri does the "three-party model" presented in this figure in the Verifiable Credentials Data Model specification mitigate (or perhaps just avoid) this scenario?

If the ecosystem of Wallets/Holders are detached from the Issuers and the Verifiers, then the "understanding of [the] victims' operational environment" becomes harder to achieve perhaps.

Additionally, the greater the choice of Wallets in the marketplace, the harder a complete spoof would be to create--as you'd have to present me not only with a single screen with a Wallet I use but potentially also present me with the list of other Wallets I could pick from for that identity credential. Knowing that full list (which might also change over time) would be far harder than knowing that x% of enterprises use a specific IdP provider.

It might be worth engaging with the VC WG around this particular risk as it feels at least lessened by the three party model.

Cheers!
🎩

[TomCJones]

the three party model seems to have four parties - it is the forth that could be comprised.
verifiable data registry
A role a system might perform by mediating the creation and verification of identifiers, verification material, and other relevant data, such as verifiable credential schemas, revocation registries, and so on, which might require using verifiable credentials. Some configurations might require correlatable identifiers for subjects. Some registries, such as ones for UUIDs and verification material, might just act as namespaces for identifiers. Examples of verifiable data registries include trusted databases, decentralized databases, government ID databases, and distributed ledgers. Often, more than one type of verifiable data registry used in an ecosystem.

On selecting wallets - i see no movement of the DC API to allow such a thing, altho the api could support it.