Category: Coding Mistakes
Origin impersonation via URL username and elision
High Severity
High Impact
High Likelihood
Description
The Fuelet wallet dApp WebView displays the current URL in the address bar. However, the WebView does not properly
elide the URL starting from the end of the hostname
remove the
username:password@
component from the URL
This allows an attacker to craft a URL that when visited in the Fuelet WebView appears nearly identical to a legitimate URL.

The address bar is rendered in fuelet/lib/presentation/browser/screens/browser_page_screen.dart:
Text(
maxLines: 1,
overflow: TextOverflow.ellipsis,
browserWebAddressVm?.description
.formatWithMaxLength(25) ??
"",
style: NFTTypography.body2Medium.copyWith(
color: theme.colorScheme.mainTextColor,
),
),
Impact
This issue allows any malicious website a user visits to impersonate another origin.
Recommendations
The Fuelet team should
elide the URL starting from the end of the hostname, and
remove the
username:password@
component from the URL.
Remediation
This issue has been acknowledged by Fuelet Wallet, and a fix was implemented in commit efdef49↗.