Brave researchers reveal zkLogin vulnerabilities that go beyond cryptography, exposing blockchain users to impersonation and privacy breaches.
Brave security researchers uncovered serious flaws in zkLogin. The widely-deployed authorization system has problems beyond cryptography. According to Brave on X, zero-knowledge proof systems face broader challenges than previously thought.
zkLogin verifies users without revealing identity. Sounds perfect for privacy. Not anymore.
The system makes dangerous assumptions during authorization. Attackers can exploit these gaps easily. Brave stated on X that zkLogin depends on non-cryptographic factors never specified as protocol requirements.
Sofia Celi, Hamed Haddadi, and Kyle Den Hartog published their findings. The research team analyzed public documentation and source code. They surveyed wallets and public endpoints across deployments.
Three vulnerability classes emerged from the analysis. First involves permissive claim extraction that accepts malformed JWTs. Non-canonical parsing creates openings.
Browser-based deployments expose system material dangerously. Short-lived authentication artifacts become durable authorization credentials. The system doesn’t enforce issuance context properly.
Beyond Cryptography: The Real Threats
Cross-application impersonation becomes possible through these flaws. Audience verification fails in many implementations. Subject binding gets ignored during credential validation.
Temporal validity isn’t enforced consistently. Expired credentials sometimes work across different applications recently. Attack windows extend far beyond intended lifespans.
The complete analysis appears at eprint.iacr.org/2026/227. None of the vulnerabilities are cryptographic in nature. That’s the shocking part.
Must read: Ripple Ex-CTO: Bitcoin May Need Hard Fork to Survive Quantum
zkLogin relies on JWT/JSON parsing assumptions. Issuer trust policies lack standardization. Architectural binding depends on execution-environment integrity that isn’t verified.
A small set of issuers controls everything. Centralization creates single points of failure. One compromised issuer collapses entire trust chains.
The third-party providing infrastructure handles user data. Identity attributes flow through external services without consent. Privacy risks get amplified instead of reduced.
The research team found inconsistent security practices. Different deployments handle validation differently globally. This creates multiple attack surfaces across the network.
Related: Chainalysis Flags Hundreds of Millions in Crypto Tied to Trafficking Groups
Users think zkLogin protects their privacy. Reality shows otherwise in many cases. System material becomes accessible in browser environments unexpectedly.
Malformed JWTs slip through permissive parsing. The first vulnerability class exploits this weakness. Attackers craft invalid tokens that still get accepted.
Privacy Promises Meet Harsh Reality
Web-based authentication fragilities carry over to blockchain. zkLogin inherits these problems according to the research. Some scenarios actually make things worse.
Zero-knowledge proofs can’t save poor architecture. The system’s security depends on external factors. Protocol-level properties must be specified and enforced.
Also worth checking: Vitalik Buterin Calls for Sustainable Incentives in Crypto
Issuance context gets ignored during authorization attempts. Issuer, audience, and temporal validity should be verified. Current implementations skip these critical checks.
The paper received approval on February 12, 2026. Creative Commons Attribution license covers the work. Anyone can access complete technical details online.
Brave followed responsible disclosure practices. Affected parties received advance notice before publication. The goal is to improve authorization systems industry-wide.
Outsourced proving services create unexpected risks. User data flows through third parties during normal operations. Many users don’t realize that information gets shared.
Different wallet implementations interpret rules differently. JWT validation lacks consistency across platforms. This undermines the entire trust model.
Fundamental architectural decisions need revisiting. Patches can’t address these vulnerabilities alone. Protocol-level changes become necessary for real security.
Blockchain developers should audit their zkLogin usage. Vulnerable patterns identified by Brave may exist elsewhere. Third-party security reviews become critical.
Zero-knowledge authorization promised enhanced privacy. Implementation reality reveals significant gaps. Theory and practice diverge dangerously in current deployments.
