Notes

• zkLogin security relies not just on ZKP, but also on JWT parsing and trust policies.
• Key vulnerabilities: permissive JWT parsing, missing context binding, and centralization risks.
• Non-cryptographic flaws may lead to impersonation and identity leaks.
• System inherits and may amplify web authentication weaknesses.
• Recommendations: clarify protocol properties, diversify issuers and proving infra.
• Both cryptographic and non-cryptographic factors are vital for ZKA security.

• zkLogin安全性不能仅简化为底层ZKP，还依赖非加密假设如JWT解析和信任策略
• 漏洞包括：允许畸形JWT的声明提取、短期认证转长期授权时缺乏上下文绑定、集中化和隐私风险
• 非加密漏洞可能导致跨应用冒充和用户身份属性泄露
• 系统继承了Web认证生态的脆弱性，在某些情况下还放大了风险
• 建议加强协议级属性规范和执行，减少对少数发行者和外包证明基础设施的依赖
• 研究强调ZKA系统需全面考虑加密和非加密因素以确保安全