Assessment reports>Fuelet>High findings>Origin impersonation via URL username and elision
Category: Coding Mistakes

Origin impersonation via URL username and elision

High Severity
High Impact
High Likelihood

Description

The Fuelet wallet dApp WebView displays the current URL in the address bar. However, the WebView does not properly

  • elide the URL starting from the end of the hostname

  • remove the username:password@ component from the URL

This allows an attacker to craft a URL that when visited in the Fuelet WebView appears nearly identical to a legitimate URL.

The address bar is rendered in fuelet/lib/presentation/browser/screens/browser_page_screen.dart:

Text(
  maxLines: 1,
  overflow: TextOverflow.ellipsis,
  browserWebAddressVm?.description
          .formatWithMaxLength(25) ??
      "",
  style: NFTTypography.body2Medium.copyWith(
    color: theme.colorScheme.mainTextColor,
  ),
),

Impact

This issue allows any malicious website a user visits to impersonate another origin.

Recommendations

The Fuelet team should

  • elide the URL starting from the end of the hostname, and

  • remove the username:password@ component from the URL.

Remediation

This issue has been acknowledged by Fuelet Wallet, and a fix was implemented in commit efdef49.

Zellic © 2025Back to top ↑