ethereum.js and security

[kumavis]

I seem to have stumbled upon a mixup in the role of ethereum.js, with important security connotations. It seems it is being used for the following two purposes:

• (1) UI and ethereum-client communication
• (2) Dapp's access to the blockchain

Note: here I define Dapp as any html document with web3 exposed in its javascript context

While there is a lot of overlap between these two roles, there is an important difference. The UI is a privileged entity and the Dapp must be assumed to be a malicious entity (just like any webpage on the internet). As it currently stands we are exposing some sensitive things to a potentially malicious Dapp.

The primary vulnerability is an attacker sending themselves ether.

web3.eth.sendTransaction({
  to: $AddressOfAttacker,
  from: web3.eth.coinbase,
  value: $amountInVictimsAccount,
})

Another attack is retargeting the client's coinbase to their own.

web3.eth.coinbase = $AddressOfAttacker
web3.eth.mining = true

[kumavis]

some related issues
ethereum/go-ethereum#329
ethereum/go-ethereum#281

[frozeman]

I agree, setting the coinbase makes no real sense for the dapp to do. we can easily deactivate this.
But we will have user confirmation before any transactions. Therefore the user will see if something wants to send something, and from whom to whom. So its actually not so risky anymore

[kumavis]

Yes the sendTransaction seemed like there must have been something I was missing b/c no one would blanket allow that. As you say mining and coinbase as read-write are a little crazy.

[debris]

we decided to remove ability to change mining and coinbase from jsonrpc api, so they won't be available in javascript as well.

[kumavis]

excellent