Binance auth

[dmytroleonenko]

Hey
I decided it would be good to protect my Binance.com account with krypton. Logged in, setup new hardware key, got a request on my phone, approved, got the record on the phone. Now when I try to log in again with chrome or safari it just never pops up again on my phone. Only the standard mac chrome prompt window with USB and built-in fingerprint option. Any ideas? How do I make it to prompt me again?

[agrinman]

I don't have an account with them to test. Are there any error/console messages in the page context/web extension context?

[dmytroleonenko]

It's like constantly waiting for yubikey to be inserted (krypton pretended to be yubikey for them). Since I never get any push to my phone to confirm the login I never get anything back from the site. It just waiting for key to be inserted until the timeout

[dmytroleonenko]

weird thing is that I even tried to authenticate with chrome on my other MacBook and still no joy. I never get anything pushed to my phone. Works for the github login though. What could it be?

[dmytroleonenko]

the page that I see in the browser tab when the USB/built-in window pops up is accounts.binance.com but the window itself says I need to verify my identity on binance.com

[dmytroleonenko]

Not sure if related but when I try to rename the hardware key in the FB setting the same window with the request to insert the security key pops up but nothing being pushed to my phone (and it works for the login attempt at the same time)

[dmytroleonenko]

If I try to fake user agent on Safari to pretend to be Chrome I get the following error from the Krypton desktop in the notification center:

[dmytroleonenko]

I think I found the error in the extension context:
Trusted Facets list does not include the requesting FacetID https://accounts.binance.com

[dmytroleonenko]

@agrinman I assume it is really related to the domain name being different from the one used while setting up the key? If you give me the guidance I can gather the logs needed.

[dmytroleonenko]

I think I know what's the issue.
If I run the debug console of the background page (extension context) and replace the

getOriginsFromJson = function (text) {
    try {
        let urls;
        const appIdData = JSON.parse(text);
        if (Array.isArray(appIdData)) {
            // Older format where it is a simple list of facets
            urls = appIdData;
        }
        else {
            const trustedFacets = appIdData['trustedFacets'];
            if (trustedFacets) {
                for (const versionBlock of trustedFacets) {
                    if (versionBlock['version'] &&
                        versionBlock['version']['major'] === 1 &&
                        versionBlock['version']['minor'] === 0) {
                        urls = versionBlock['ids'];
                        break;
                    }
                }
            }
            if (typeof urls === 'undefined') {
                throw Error('Could not find trustedFacets for version 1.0');
            }
        }
        const origins = {};
        for (const url of urls) {
            const origin = url_1.getOriginFromUrl(url);
            if (origin) {
                // Enforce only HTTPS origins for Trusted Facets per FIDO AppId & Facet (v1.2) 3.1.2.12
                // TODO: allow for valid mobile facets as well
                if (origin.indexOf('https://') === 0) {
                    origins[origin] = origin;
                }
            }
        }
        return Object.keys(origins);
    }
    catch (e) {
        console.error('could not parse ' + text);
        return ['https://accounts.binance.com', 'https://binance.com'];
    }
}

function with the one above I get the request on my phone and then I was able to log in. The thing is the extension tries to fetch allowed facets from the appId (https://binance.com) and because it is an HTML page the getOriginsFromJson function couldn't parse it. I know it is a binance.com issue and in particular because they don't comply properly with the U2F standard. I'll try to detach the u2f now from it since I was able to login
@agrinman if you can think of a way to handle this case somehow it would be nice. If not - just let me know and close the issue

[rolltidehero]

I think I know what's the issue.
If I run the debug console of the background page (extension context) and replace the

getOriginsFromJson = function (text) {
    try {
        let urls;
        const appIdData = JSON.parse(text);
        if (Array.isArray(appIdData)) {
            // Older format where it is a simple list of facets
            urls = appIdData;
        }
        else {
            const trustedFacets = appIdData['trustedFacets'];
            if (trustedFacets) {
                for (const versionBlock of trustedFacets) {
                    if (versionBlock['version'] &&
                        versionBlock['version']['major'] === 1 &&
                        versionBlock['version']['minor'] === 0) {
                        urls = versionBlock['ids'];
                        break;
                    }
                }
            }
            if (typeof urls === 'undefined') {
                throw Error('Could not find trustedFacets for version 1.0');
            }
        }
        const origins = {};
        for (const url of urls) {
            const origin = url_1.getOriginFromUrl(url);
            if (origin) {
                // Enforce only HTTPS origins for Trusted Facets per FIDO AppId & Facet (v1.2) 3.1.2.12
                // TODO: allow for valid mobile facets as well
                if (origin.indexOf('https://') === 0) {
                    origins[origin] = origin;
                }
            }
        }
        return Object.keys(origins);
    }
    catch (e) {
        console.error('could not parse ' + text);
        return ['https://accounts.binance.com', 'https://binance.com'];
    }
}

function with the one above I get the request on my phone and then I was able to log in. The thing is the extension tries to fetch allowed facets from the appId (https://binance.com) and because it is an HTML page the getOriginsFromJson function couldn't parse it. I know it is a binance.com issue and in particular because they don't comply properly with the U2F standard. I'll try to detach the u2f now from it since I was able to login
@agrinman if you can think of a way to handle this case somehow it would be nice. If not - just let me know and close the issue

I'm having the same issue on Binance and am locked out. Can you please tell me how you fixed this in more detail?

Thanks so much

[dmytroleonenko]

Yes, so you go into chrome extensions, go into Krypton Authenticator. Here you'll find
https://www.dropbox.com/s/hfeo0jbn2rg3x6r/Screenshot%202020-12-18%20at%2018.41.17.png?dl=0
Click the "background page" as on the image
now when you open the page you'll get to the chrome developer tools console in the extension context.
Here you can paste the code I posted previously effectively replacing the javascript function of the extension. Now you can go back to your browser and try to login into the Binance. Once you get the request on your prone tap "Always allow this host" or "Allow for 1h" so that the Krypton phone app can approve it right away. You might fail logging in the first time but then you can try once again and you should succeed.
Then you should be able to detach the HW key from your account. Just make sure you understand it implies 24h freeze on any withdraw operations. Yubikey was not any better for me. I was easily able to login every time but the transfer was always failig so I removed all the HW kays

[rolltidehero]

Thanks, but when I replace getOriginsFromJson function and use Ctrl+S to save, the extension crashes.

Here is a screenshot of what I tried to save: https://bit.ly/38pSrMn

Any ideas? Can you share your revision of the extension?

[dmytroleonenko]

You don't need to save anything. You just need to paste the content into the console and press Enter. That's it

[rolltidehero]

You don't need to save anything. You just need to paste the content into the console and press Enter. That's it

I'm very, very sad to report that this method doesn't work for me. I still get asked for USB key.
Console error: Trusted Facets list does not include the requesting FacetID https://accounts.binance.com

[dmytroleonenko]

You don't need to save anything. You just need to paste the content into the console and press Enter. That's it

I'm very, very sad to report that this method doesn't work for me. I still get asked for USB key.
Console error: Trusted Facets list does not include the requesting FacetID https://accounts.binance.com

Text me in telegram +380638550878. I'll try to help

[LEXASOFT]

Спасибо мужики помогло удалить у бинанса и у битфинекса, для последнего использовал:
return ['https://www.bitfinex.com', 'https://setting.bitfinex.com'];