Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve Mnemonic + Password handling security #150

Merged
merged 2 commits into from Jul 10, 2023
Merged

Improve Mnemonic + Password handling security #150

merged 2 commits into from Jul 10, 2023

Conversation

JSKitty
Copy link
Member

@JSKitty JSKitty commented Jul 8, 2023

Abstract

Previously, MPW left 'residue' of sensitive data such as Passwords and Mnemonics in memory (by keeping it in the HTML input values), thus, for example, after creating a new MPW wallet - as long as that initial session is open, your mnemonic is recoverable. The same goes for passwords; as long as the Prompt box was not reused, they were recoverable.

This PR fixes this by immediately wiping sensitive data from these input boxes as soon as possible.

Testing

Try this console command after Creating a new wallet:
document.getElementById('ModalMnemonicContent').innerText

Try this console command after Unlocking your wallet:
document.getElementById('restoreWalletPassword').value

In master MPW, those will return sensitive data - in this PR, all sensitive input boxes should be cleanly empty immediately after completing an action (Unlock, New Wallet, etc).

What does this PR address?

It addresses a potential, and very simple security leak in the UI, which could've been exploited by malware or even a malicious user with access to one's device locally or remotely.

What features or improvements were added?

N/A, security improvement only.

How does this benefit users?

MPW is slightly more resilient to easy attacks - yay!

@JSKitty JSKitty added Bug This is either a bugfix (PR) or a bug (issue). Enhancement New feature or request labels Jul 8, 2023
@JSKitty JSKitty requested review from Liquid369, Duddino, PalmTreeVI, BreadJS and a team July 8, 2023 09:51
@JSKitty JSKitty self-assigned this Jul 8, 2023
Liquid369
Liquid369 approved these changes Jul 8, 2023
View reviewed changes
Copy link

@Liquid369 Liquid369 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tACK f20be50

Nice catch especially before 1.0

Duddino
Duddino approved these changes Jul 10, 2023
View reviewed changes
Copy link
Member

@Duddino Duddino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tACK

@JSKitty JSKitty merged commit 4b5d2d2 into master Jul 10, 2023
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Liquid369 Liquid369 Liquid369 approved these changes

@Duddino Duddino Duddino approved these changes

@PalmTreeVI PalmTreeVI Awaiting requested review from PalmTreeVI

@BreadJS BreadJS Awaiting requested review from BreadJS

Assignees

@JSKitty JSKitty

Labels
Bug This is either a bugfix (PR) or a bug (issue). Enhancement New feature or request
Projects
My PIVX Wallet v2.0
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@JSKitty @Liquid369 @Duddino