-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ethereum.js and security #77
Comments
some related issues |
I agree, setting the coinbase makes no real sense for the dapp to do. we can easily deactivate this. |
Yes the |
we decided to remove ability to change |
excellent |
I seem to have stumbled upon a mixup in the role of
ethereum.js
, with important security connotations. It seems it is being used for the following two purposes:Note: here I define
Dapp
as any html document withweb3
exposed in its javascript contextWhile there is a lot of overlap between these two roles, there is an important difference. The UI is a privileged entity and the Dapp must be assumed to be a malicious entity (just like any webpage on the internet). As it currently stands we are exposing some sensitive things to a potentially malicious Dapp.
The primary vulnerability is an attacker sending themselves ether.
Another attack is retargeting the client's coinbase to their own.
The text was updated successfully, but these errors were encountered: