Critical Security Bug: Authentication Bypass in SIWB

vsekar · April 16, 2025, 10:04am

Dear all,

We have recently discovered an authentication bypass vulnerability in ic_siwb_provider canister that allows an attacker to take full control of any Internet Computer (IC) account principal created using the SIWB authentication protocol. Please refer to the GitHub Security Advisory for more details.

This is a critical security issue. All Identity Providers must immediately redeploy their SIWB instances using the latest patched build of ic_siwb_provider.

As this vulnerability has already been exploited in the wild, the DFINITY security team will publish a postmortem of the incident in a separate forum post.

We encourage the ICP community to report any new issues or vulnerabilities responsibly. For more information, please consult our Bug Bounty program for projects maintained by DFINITY.

If you have any questions, feel free to reply in this thread or contact us privately.

saikatdas0790 · April 16, 2025, 10:12am

Gentle suggestion.

Might make sense for Dfinity to maintain an official one or bless a version that provides the same level of trust that this one has

Since this is critical infrastructure for the ckBTC side of things

robin-kunzler · April 24, 2025, 11:24am

See also this broader discussion: Critical Vulnerability in Sign-In With Bitcoin (SIWB) used to Attack Odin.fun - Learnings and Discussion

Topic		Replies	Views
Critical Vulnerability in Sign-In With Bitcoin (SIWB) used to Attack Odin.fun - Learnings and Discussion Developers security , dev , authentication	2	202	April 24, 2025
Sign In with Bitcoin on ICP Developers	13	622	December 27, 2024
Ic-siwe: Sign-In With Ethereum support libraries for IC Developers	17	1354	January 7, 2024
Announcing IC-SIWS: Use Solana wallets to login to ICP Developers	6	459	April 2, 2025
Announcing ic-siwe: Use Ethereum wallets to login to IC Showcase	37	1711	April 15, 2025

Critical Security Bug: Authentication Bypass in SIWB

Related topics