revoked_at is not included in signature #56

New Issue

Open

opened 2026-04-05 16:11:01 +00:00 by Skipper · 0 comments

Skipper commented 2026-04-05 16:11:01 +00:00

Owner

Copy Link

Info

Severity: CRITICAL
Attack vector: offline

Impact

Allows an attacker to restore previously revoked grants and regain signing capability.

Description

The revoked_at field is stored in the database but is not included in the MAC-protected grant payload. As a result, revocation state can be changed without
breaking integrity verification.

Example flow

1. Find a revoked grant in the database.
2. Set revoked_at back to NULL.
3. Present a signing request that matches the grant.
4. The grant passes integrity checks and is treated as active again.

Mitigation

Include revoked_at in the integrity-protected grant representation, or move revocation status into a separately protected structure.

# Info **Severity**: **CRITICAL** Attack vector: offline ## Impact Allows an attacker to restore previously revoked grants and regain signing capability. ## Description The `revoked_at` field is stored in the database but is not included in the MAC-protected grant payload. As a result, revocation state can be changed without breaking integrity verification. ## Example flow 1. Find a revoked grant in the database. 2. Set `revoked_at` back to `NULL`. 3. Present a signing request that matches the grant. 4. The grant passes integrity checks and is treated as active again. ## Mitigation Include `revoked_at` in the integrity-protected grant representation, or move revocation status into a separately protected structure.

Skipper added the

Difficulty

Low

1

Kind

Security

labels 2026-04-05 16:11:01 +00:00

CleverWild self-assigned this 2026-04-08 10:03:00 +00:00

CleverWild referenced a pull request that will close this issue 2026-04-08 10:10:23 +00:00

security(server): bind grant revocation state (revoked_at) to integrity hash #83

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

security-hash-revoke_at

feat-lints

enforcing-integrity

impl-useragent_delete_grant

Client-key-replacement-attack

critical-fix-CI-check-all-features

win-service

fix-proto-build-script

terrors-refactor

PoC-terrors

push-lspnytwuyulm

key-alternative

push-yyxvkwvyspxv

security-breaktrougth

No results found.

Labels

Clear labels

Compat

Breaking

Breaking change that won't be backward compatible

Difficulty

High

3

Hard difficulty. Experience needed to fix: A lot.

Difficulty

Low

1

Easy difficulty. Experience needed to fix: Not much. Good first issue.

Difficulty

Medium

2

Medium difficulty. Experience needed to fix: Intermediate.

Kind

Bug

This is a bug.

Kind

Enhancement

Improve existing functionality.

Kind

Feature

New functionality

Kind

RFC

Request for comments

Kind

Security

This is security issue

Kind

Testing

This is testing issue.

Kind

Tracking issue

An issue tracking the progress of sth. like the implementation of an RFC

Priority

Critical

1

The priority is critical

Priority

High

2

The priority is high

Priority

Low

4

The priority is low

Priority

Medium

3

The priority is medium

Reviewed

Confirmed

1

Issue has been confirmed

Reviewed

Duplicate

2

This issue or pull request already exists

Reviewed

Invalid

3

Invalid issue

Reviewed

Pending

4

Requires review by dev

Reviewed

Won't Fix

3

This issue won't be fixed

Status

Abandoned

3

Somebody has started to work on this but abandoned work

Status

Blocked

1

Something is blocking this issue or pull request

Status

Need More Info

2

Feedback is required to reproduce issue or to continue work

No Label

Difficulty

Low

1

Kind

Security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

CleverWild Skipper goodvin testuser

No Assignees CleverWild

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MarketTakers/arbiter#56