Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Pontem Aptos Wallet>Low findings>Cleartext password in the browser's session storage
GeneralOverview
Findings
Medium (1)
Low (3)Low password complexityCleartext password in the browser's session storageRPC responses
DiscussionNew wallet creationPotentially insecure functionTypographical errorUnclear message signing flow
Audit ResultsAudit Results
Category: Coding Mistakes

Cleartext password in the browser's session storage

Low Severity
High Impact
Low Likelihood

Description

After a user creates or unlocks their wallet, their password is stored in plaintext in the session storage. This is a critical piece of information and should never be available in plaintext form.

const createWallet = async (password: string) => {
  const address = await controller.createNewKeychain(password);
  if (IS_EXTENSION_RUNTIME) {
    await extension.storage.session.set({ storedPassword: password });
  }

  return address;
};
const unlock = async (password: string) => {
  const keyrings = await controller.unlock(password);
  if (IS_EXTENSION_RUNTIME) {
    await extension.storage.session.set({ storedPassword: password });
  }

  return keyrings;
};

Impact

An attacker with physical access to the machine or a cross-domain exploit can leak the plaintext password and mnemonic phrase.

Recommendations

Handling of the plaintext password should be kept to the minimum and should be immediately deleted or encrypted after use.

Remediation

A fix was introduced in commit 0b6c08fb by encrypting the password before setting it in the local storage. A refactor of the flow is planned, which will remove the password from storage entirely. It's worth noting that the password is not stored permanently and is automatically deleted after five minutes of inactivity.

Zellic © 2024Back to top ↑