[iOS] Push Notifications can be used as a phishing attack vector #2886

lukasschor · 2023-01-30T10:49:20Z

Bug description
Malicious attacker is able push phising transactions to the iOS mobile app that do not have any signatures from any of the owners or a delegate.

Steps To Reproduce
Assumption:

Send malicious transaction to backend for a Safe where an owner has the mobile app installed
Hope that mobile app owner opens transaction via push notification banner
Hope that the mobile app owner blind-signs and executes the transaction

Expected Result

Transaction service only sends push notifications if one of the owner or a delegate signed the tx
The mobile app only displays push notifications if one of the owner or a delegate signed the tx

Examples

Example safeTxhashes of "test" phishing attempts
0x899fc4f14702977be37afe1187a6d5431c28f037ee9a6dc38c5b779165b4b6ab
0x4670c44c9609ea89fb7d5eb32295d8e1dcd200b38a460678b93b67f6b44279e5

Device & App version

Device/OS: iPhone 14 Pro
App version: 3.18.1 (1435)

DmitryBespalov · 2023-01-30T12:05:58Z

The issue for now will be patched on the server side

Uxio0 · 2023-01-30T15:38:18Z

safe-global/safe-transaction-service#1302

Handles #2886 Changes proposed in this pull request: - Shows warning in the transaction details if: - transaction is awaiting signatures or execution AND - ( transaction has no confirmations OR - confirming addresses are not safe owners OR - confirming addresses do not match recovered addresses from confirmation signatures )

liliya-soroka · 2023-12-21T11:43:08Z

Verified

lukasschor added bug Doesn't work as expected Critical Fix ASAP labels Jan 30, 2023

DmitryBespalov mentioned this issue Jan 30, 2023

Handle untrusted transactions in the whole tx life cycle #2887

Closed

Uxio0 mentioned this issue Jan 30, 2023

Don't send notifications for not trusted txs safe-global/safe-transaction-service#1302

Merged

DmitryBespalov self-assigned this Nov 20, 2023

DmitryBespalov added a commit that referenced this issue Nov 20, 2023

GH-2886 add check for transaction signatures

1d8f2e6

DmitryBespalov added a commit that referenced this issue Nov 20, 2023

GH-2886 disable warning while not ready

1e1490d

DmitryBespalov mentioned this issue Nov 20, 2023

Gh 2886/warning in transactions #3364

Merged

DmitryBespalov added a commit that referenced this issue Nov 21, 2023

GH-2886 test happy case

2b1b52c

DmitryBespalov added a commit that referenced this issue Nov 21, 2023

GH-2886 test cases for all branches of validation logic

036b4f5

DmitryBespalov added a commit that referenced this issue Nov 21, 2023

GH-2886 add descriptions

55513ea

DmitryBespalov added a commit that referenced this issue Nov 21, 2023

GH-2886 change names

852398e

DmitryBespalov added a commit that referenced this issue Dec 14, 2023

GH-2886 added handle for fcm testing

86d7403

DmitryBespalov mentioned this issue Dec 14, 2023

GH-2886 added handle for fcm testing #3371

Merged

DmitryBespalov added a commit that referenced this issue Dec 14, 2023

GH-2886 added handle for fcm testing (#3371)

8370afc

DmitryBespalov closed this as completed Jan 18, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[iOS] Push Notifications can be used as a phishing attack vector #2886

[iOS] Push Notifications can be used as a phishing attack vector #2886

lukasschor commented Jan 30, 2023 •

edited

DmitryBespalov commented Jan 30, 2023

Uxio0 commented Jan 30, 2023

liliya-soroka commented Dec 21, 2023

[iOS] Push Notifications can be used as a phishing attack vector #2886

[iOS] Push Notifications can be used as a phishing attack vector #2886

Comments

lukasschor commented Jan 30, 2023 • edited

DmitryBespalov commented Jan 30, 2023

Uxio0 commented Jan 30, 2023

liliya-soroka commented Dec 21, 2023

lukasschor commented Jan 30, 2023 •

edited