You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
zashi-ios includes code for handling deeplinks through the URL scheme “zcash://”. URL scheme handlers can be registered by other apps on the device, which leads to two potential attacks.
First, there is an attack on privacy. Another app that has registered for zcash: will be able to see when such URLs are clicked, and see their contents. If these are used for payment request URIs, the other app will learn the embedded destination address and amount.
Second, there is an attack on integrity, which could lead to theft of funds if the user is not careful. An app could register a handler for zcash: and then when a payment URI is clicked, it could modify the destination address or amount. The address and amount are displayed to the user before generating the transaction, but the user might not notice that the address is different from what was in the URL they clicked, and their funds could be stolen.
I recommend disabling zcash: deeplinks entirely for the Zashi 1.0 release, both because of these risks and because proper payment URI parsing (ZIP 321) is not yet implemented.
This kind of interception can be prevented by using Universal Links. Universal Links are specific to a domain name, and for an app to register a handler, they must prove that they control the domain name by hosting an apple-app-site-association file containing a list of approved apps.
The drawback to using Universal Links is that payment request URIs would have to be wallet-specific, i.e. the generator of the URI would have to know which wallet the user has installed, in order to use the correct domain name. Alternatively, a trusted party could maintain a list of “approved” wallets and grant them all access to register Universal Link handlers for the same domain name.
Essentially the same issue was previously documented in rationale for ZIP 324. I assess that it is well enough known that this ticket can be public.
The text was updated successfully, but these errors were encountered:
From @defuse's draft report:
Essentially the same issue was previously documented in rationale for ZIP 324. I assess that it is well enough known that this ticket can be public.
The text was updated successfully, but these errors were encountered: