Leakage of Private Keys in Chrome Extension Wallet #11
Comments
2 tasks
|
Issue closed, published in Hall of Fame |
|
@santiagotrujilloz Wallet is a critical component of any project , the bounty decision on it is not according to the severity of the issue. As you can see the reference that Sentry logging has led to a compromise before. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1. Bug/Vulnerability Description
Leakage of Private Keys in Chrome Extension Wallet
2. Hardware and Software Specifications
3. Steps to Reproduce
4. Impact Analysis
Logging in wallets is not advisable. Especially when keys are being logged. Rogue developers can leverage to steal the keys. We have real exploitation of this issue in case of Slope Finance Wallet. Where exploiter gained access to around 9000 logged keys and drained 4 million USDC.
Reference:
https://twitter.com/osec_io/status/1555087560887922688?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1555087560887922688%7Ctwgr%5E836d80113528af48747df0a342f3beac6bd5e426%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fdiscover.luno.com%2Fwhat-exactly-happened-in-the-slope-finance-hack%2F
5. Code Fix Submission
Disable the logging of critical info , or logging as a whole.
6. Choose the Right Label
Security Issue: Critical
7. Additional Context
I have attached a POC video showing the issue.
https://drive.google.com/file/d/1lkBbOhk3SNWc0Jykudw26Qe9SmjLkbSr/view?usp=sharing
Thank you for contributing to the improvement of our project!👨💻👩💻
Swisstronik internal use only
The text was updated successfully, but these errors were encountered: