Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Crypto Wallets is enabled by default in private mode #13279

Closed
kholbekj opened this issue Dec 22, 2020 · 4 comments · Fixed by brave/brave-core#7579
Closed

[Security] Crypto Wallets is enabled by default in private mode #13279

kholbekj opened this issue Dec 22, 2020 · 4 comments · Fixed by brave/brave-core#7579
Assignees
@darkdh
Labels
feature/ethereum-remote-client feature/private-browsing OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. privacy QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-Plan-Specified QA/Yes release-notes/include security
Milestone
1.20.x - Release

Comments

@kholbekj
Copy link

Description

When entering safe-mode and accessing a page, the meta-mask extention remains active and connected to the site.

Steps to Reproduce

  1. Enable crypto wallet
  2. connect to a Dapp
  3. open a private session
  4. go to same dapp.

Actual result:

The wallet is picked up, and the website can read the address of the user.

Expected result:

The wallet is not by default on (or at least connected to the app), so that the app cannot immediately identify the user.

Brave version (brave://version info)

Brave | 1.18.75 Chromium: 87.0.4280.101 (Official Build) (64-bit)
-- | --
Revision | 9407c80213cda69c2b7abcb4fa8e3f74488f4956-refs/branch-heads/4280@{#1807}
OS | Linux
JavaScript | V8 8.7.220.29
Flash | (Disabled)
User Agent | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.101 Safari/537.36
Command Line | /opt/brave.com/brave/brave --enable-dom-distiller --disable-domain-reliability --no-pings --extension-content-verification=enforce_strict --extensions-install-verification=enforce --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --sync-url=https://sync-v2.brave.com/v2 --lso-url=https://no-thanks.invalid --variations-server-url=https://variations.brave.com/seed --enable-features=PrefetchPrivacyChanges,WebUIDarkMode,AutoupgradeMixedContent,DnsOverHttps,LegacyTLSEnforced,PasswordImport,ReducedReferrerGranularity --disable-features=AllowPopupsDuringPageUnload,VideoPlaybackQuality,TabHoverCards,AutofillEnableAccountWalletStorage,PrivacySettingsRedesign,NotificationTriggers,SmsReceiver,TextFragmentAnchor,IdleDetection,NetworkTimeServiceQuerying,PasswordCheck,AutofillServerCommunication,SignedExchangeSubresourcePrefetch,SafeBrowsingEnhancedProtection --flag-switches-begin --flag-switches-end
Executable Path | /opt/brave.com/brave/brave
@diracdeltas
Copy link
Member

@ryanml @bbondy will this be fixed when Dapp detection is removed? i agree that websites in incognito mode should not be able to see the wallet ID, at least not without user permission

@bbondy bbondy added the priority/P2 A bad problem. We might uplift this to the next planned release. label Jan 1, 2021
@bbondy bbondy changed the title Metamask is enabled by default in private mode Crypto Wallets is enabled by default in private mode Jan 1, 2021
@bbondy
Copy link
Member

bbondy commented Jan 1, 2021

I think it is different

@kholbekj
Copy link
Author

kholbekj commented Jan 3, 2021

Am I wrong to say it is metamask? Looking at the console, it does seem so.

@bbondy bbondy added the feature/web3/wallet Integrating Ethereum+ wallet support label Jan 10, 2021
@diracdeltas diracdeltas mentioned this issue Jan 12, 2021
Closed
@darkdh darkdh self-assigned this Jan 12, 2021
@darkdh darkdh mentioned this issue Jan 13, 2021
Merged
23 tasks
@srirambv srirambv mentioned this issue Jan 13, 2021
Open
@darkdh darkdh added this to the 1.20.x - Nightly milestone Jan 13, 2021
@darkdh darkdh mentioned this issue Jan 14, 2021
Closed
4 tasks
@LaurenWags LaurenWags changed the title Crypto Wallets is enabled by default in private mode [Security] Crypto Wallets is enabled by default in private mode Feb 1, 2021
@srirambv
Copy link
Contributor

srirambv commented Feb 5, 2021

Verification passed on

Brave 1.20.100 Chromium: 88.0.4324.146 (Official Build) (64-bit)
Revision 406dc88511162d6598242f2c709be1414a042fb0-refs/branch-heads/4324@{#2088}
OS Linux
  • Verified steps from issue description
  • Verified Crypto Wallet is not enabled by default on private window
    image

Verification passed on

Brave 1.20.100 Chromium: 88.0.4324.146 (Official Build) (64-bit)
Revision 406dc88511162d6598242f2c709be1414a042fb0-refs/branch-heads/4324@{#2088}
OS Windows 10 OS Version 2009 (Build 19042.746)
  • Verified steps from issue description
  • Verified Crypto Wallet is not enabled by default on private window
    image

Verification passed on

Brave 1.20.100 Chromium: 88.0.4324.146 (Official Build) (x86_64)
Revision 406dc88511162d6598242f2c709be1414a042fb0-refs/branch-heads/4324@{#2088}
OS macOS Version 10.15.7 (Build 19H114)
  • Verified steps from issue description
  • Verified Crypto Wallet is not enabled by default on private window
    image

@LaurenWags LaurenWags mentioned this issue Feb 8, 2021
Closed
@bbondy bbondy mentioned this issue Feb 9, 2021
Closed
@srirambv srirambv added feature/ethereum-remote-client and removed feature/web3/wallet Integrating Ethereum+ wallet support labels Sep 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@darkdh darkdh

Labels
feature/ethereum-remote-client feature/private-browsing OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. privacy QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-Plan-Specified QA/Yes release-notes/include security
Projects
None yet
Milestone
1.20.x - Release
Development

Successfully merging a pull request may close this issue.

Handle "Allow in private" for Crypto Wallet and Greaselion brave/brave-core
5 participants
@diracdeltas @bbondy @kholbekj @darkdh @srirambv