You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
All versions of web3 are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a Cross-Site Scripting vulnerability to access the private key.
Recommendation
No fix is currently available. Consider using an alternative module until a fix is made available. GHSA-27v7-qhfv-rqq8
The text was updated successfully, but these errors were encountered:
Thanks for reporting this, we are planning to migrate this repo away from all JS dependencies and switch to using Foundry for the smart contract tests.
Describe the bug
All versions of
web3
are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a Cross-Site Scripting vulnerability to access the private key.Recommendation
No fix is currently available. Consider using an alternative module until a fix is made available.
GHSA-27v7-qhfv-rqq8
The text was updated successfully, but these errors were encountered: