Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Pontem Aptos Wallet>Low findings>Low password complexity threshold
GeneralOverview
Findings
Medium (1)
Low (3)Low password complexityCleartext password in the browser's session storageRPC responses
DiscussionNew wallet creationPotentially insecure functionTypographical errorUnclear message signing flow
Audit ResultsAudit Results
Category: Coding Mistakes

Low password complexity threshold

Low Severity
High Impact
Medium Likelihood

Description

The only requirement for the keyring password is that it needs to be at least six characters long.

const validate = (values: SubmitPasswordFormValues) => {
  const errors: SubmitPasswordFormErrors = {};

  if (!values.password) {
    errors.password = "Password required";
  } else if (values.password.length < MIN_PASSWORD_LENGTH) {
    errors.password = `Password length should contain minimum ${MIN_PASSWORD_LENGTH} characters`;
  }

  if (!values.confirm) {
    errors.confirm = "Password confirmation required";
  } else if (values.confirm.length < MIN_PASSWORD_LENGTH) {
    errors.confirm = `Password confirmation length should contain minimum ${MIN_PASSWORD_LENGTH} characters`;
  } else if (values.confirm !== values.password) {
    errors.confirm = "Password confirmation not similar";
  }

  if (!values.agreed) {
    errors.agreed = "You need to agree with terms and conditions";
  }

  return errors;
};

Impact

A six-character password can be bruteforced in a matter of seconds, leading to a compromise of the wallet.

Recommendations

We recommend Pontem Technology Ltd. increase the length requirements along with mandating special characters and lowercase and uppercase letters.

Remediation

A fix was introduced in commit e6ad1094 by adding multiple requirements on password entry such as minimum password length and special characters.

Zellic © 2024Back to top ↑