Cleartext password in the browser's session storage
Description
After a user creates or unlocks their wallet, their password is stored in plaintext in the session storage. This is a critical piece of information and should never be available in plaintext form.
const createWallet = async (password: string) => {
const address = await controller.createNewKeychain(password);
if (IS_EXTENSION_RUNTIME) {
await extension.storage.session.set({ storedPassword: password });
}
return address;
};
const unlock = async (password: string) => {
const keyrings = await controller.unlock(password);
if (IS_EXTENSION_RUNTIME) {
await extension.storage.session.set({ storedPassword: password });
}
return keyrings;
};
Impact
An attacker with physical access to the machine or a cross-domain exploit can leak the plaintext password and mnemonic phrase.
Recommendations
Handling of the plaintext password should be kept to the minimum and should be immediately deleted or encrypted after use.
Remediation
A fix was introduced in commit 0b6c08fb↗ by encrypting the password before setting it in the local storage. A refactor of the flow is planned, which will remove the password from storage entirely. It's worth noting that the password is not stored permanently and is automatically deleted after five minutes of inactivity.