Zero-knowledge proofs can't fix what they can't see. Our security analysis of zkLogin reveals that real-world ZK authorization systems are only as secure as the authentication infrastructure they're built on.

Brave's publication is a source of information and insights on internet privacy, online advertising, and browser technology. Through articles, research papers, and opinion pieces, Brave offers insights into digital privacy issues, data protection regulations, and the impact of online advertising on user experience and security. Readers can learn about Brave's privacy-focused browser features, ad-blocking technologies, and blockchain-based rewards program designed to protect user privacy and incentivize ethical advertising practices. Additionally, Brave provides updates on its partnerships, product developments, and community initiatives to empower users to take control of their online privacy and security.

Brave

Security researchers at Brave identified critical vulnerabilities in zkLogin, a zero-knowledge proof-based authorization system used in the Sui blockchain ecosystem. The analysis reveals three major vulnerability classes: ambiguous JWT parsing that allows claim shadowing and parser differentials, weak binding between authentication and authorization enabling cross-RP impersonation attacks, and centralization risks from outsourced proving services. The core issue is that zkLogin's security depends not just on cryptographic proofs, but on external assumptions about document correctness, issuer governance, and execution environments that the protocol doesn't enforce. The research demonstrates that repurposing short-lived OIDC tokens into long-lived authorization credentials without proper validation, canonical parsing, and cryptographic binding creates exploitable attack surfaces even when the underlying ZKP cryptography is sound.

zkLogin: when ZKP is not enough

Vulnerabilities: When Authorization Inherits the Messiness of the Web

Ethical Considerations and Responsible Disclosure