Description

The Reclaim documentation recommends websites use the values in extractedParameterValues. However, the SDK does not validate this data and only validates the claim claimData.parameters. A malicious user can modify the extractedParameterValues of a valid, signed claim to contain any value they like.

To test this vulnerability, we can use the following:

import { Reclaim } from '@reclaimprotocol/js-sdk'

// a valid, signed claim
const claim = {
  identifier: '0x...',
  claimData: {
    provider: 'http',
    parameters: '{...}',
    context: '...',
    ...,
  },
  signatures: [
    '0x...',
  ],
  witnesses: [{
    id: '0x...',
    url: 'https://...',
  }],
  extractedParameterValues: { ... },
}

claim.extractedParameterValues = {
  malicious: 'values',
}

console.log(await Reclaim.verifySignedProof(claim)) // true

This issue occurs in reclaim-sdk/packages/js/src/witness.ts where the extractedParameterValues are not included in the identity computation:

export function getIdentifierFromClaimInfo(info: ClaimInfo): ClaimID {
  const str = `${info.provider}\n${info.parameters}\n${info.context || ''}`;
  return ethers.keccak256(strToUint8Array(str)).toLowerCase();
}

Impact

This issue allows all claim parameter values to be easily spoofed by malicious users.

Recommendations

We recommend that either

• reclaim-sdk should validate extractedParameterValues against claimData.parameters, or

• the node should include the extracted parameters in the signed identifier (which is then validated by verifySignedProof).

Remediation