Utm parameters breaking deeplink signature #23222
Description
What is this about?
Current behavior: When any utm_* (utm_campaign, utm_source) attribute is present in sig_params or if sig_params is missing, the deeplink will always be redirected to untrusted flow, with "Caution" interstitial
Expected behavior: If any utm attribute is included of a sig_params, the signature should be validated considering these params
Additionally: Handle empty sig_param array as "no parameters are signed", i.e. only the root itself is signed (?sig_param=&sig=...)
Scenario
No response
Design
No response
Technical Details
No response
Threat Modeling Framework
No response
Acceptance Criteria
No response
Stakeholder review needed before the work gets merged
- Engineering (needed in most cases)
- Design
- Product
- QA (automation tests are required to pass before merging PRs but not all changes are covered by automation tests - please review if QA is needed beyond automation tests)
- Security
- Legal
- Marketing
- Management (please specify)
- Other (please specify)
References
No response
Metadata
Metadata
Assignees
Labels
Issue root cause analysis neededAn issue that may have caused fund loss or access to wallet in the past & may still be ongoingRegression bug that was found in release candidate (RC) for release 7.60.0Regression bug that was found in production in release 7.59.0Issue or pull request that will be included in release 7.61.0This bug is blocking the next releaseMobile Platform team