You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Synopsis
The background script does not validate which method a request is attempting to call in the Emeris browser extension wallet, allowing attackers to call arbitrary functions in the internal emeris object. This allows attackers to call the popupHandler function directly and subsequently call getMnemonic. If an attacker is able to guess the password of the wallet, the mnemonic can be exfiltrated from the wallet.
Impact
A user’s seed phrases can be exfiltrated from the wallet without their knowledge. This would result in the loss of all their funds.
Remediation
We recommend implementing a check in pageHandler that verifies that request.action belongs in a pre-approved list of functions. Additionally, we recommend that validation be performed in the content-script that inspects the message to make sure that the data is structured only in the way expected by the requesting functions
@josietyleung commented on Tue May 10 2022
Synopsis
The background script does not validate which method a request is attempting to call in the Emeris browser extension wallet, allowing attackers to call arbitrary functions in the internal emeris object. This allows attackers to call the popupHandler function directly and subsequently call getMnemonic. If an attacker is able to guess the password of the wallet, the mnemonic can be exfiltrated from the wallet.
Impact
A user’s seed phrases can be exfiltrated from the wallet without their knowledge. This would result in the loss of all their funds.
Remediation
We recommend implementing a check in pageHandler that verifies that request.action belongs in a pre-approved list of functions. Additionally, we recommend that validation be performed in the content-script that inspects the message to make sure that the data is structured only in the way expected by the requesting functions
Refer to full audit report first - Issue A
https://allinbits.slack.com/archives/C02U9SVJT97/p1652107168347859
The text was updated successfully, but these errors were encountered: