Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Reclaim Protocol>Low findings>Improper host validation in QR-code proof request
GeneralOverview
Findings
Critical (4)
High (2)
Medium (5)
Low (6)XSS via ignored content-disposition headerAddress bar not updated before page loadImproper TLS certificate parsingImproper host validation in QR-code proof requestProduction credentials in Git source repositoriesLack of sufficient claim-parameter validation
Informational (2)
DiscussionSpoofing risk via website data format instabilitySpoofing risk via insecure contains/RegEx checksSensitive data exposure riskUser-phishing riskLack of `postMessage` origin validationProxy/scraping service usageNode centralization risk
Audit ResultsSummary
Category: Coding Mistakes

Improper host validation in QR-code proof request

Low Severity
Low Impact
High Likelihood

Description

Due to the usage of an improper regular expression in processing QR-code data, the app may identify a malicious URL such as https://rclm.link.evil.example.com as the shortened URL of a legitimate proof request.

This issue occurs in reclaim-app/src/components/QRScanner/index.tsx:

const RECLAIM_SHORTENED_URL_REGEX = /^https:\/\/rclm\.link/

const retrieveDataType = (data: string): RetreivedDataType => {
  if (data.match(RECLAIM_SHARE_REGEX) || data.match(RECLAIM_SHORTENED_URL_REGEX)) {
    return 'requested-proofs'
  }

Impact

Users can be more susceptible to phishing since the URL looks trusted and the JSON payload is hidden.

Recommendations

The Reclaim app should properly validate the host of the URL by ensuring the link starts with https://rclm.link/.

Remediation

Zellic © 2025Back to top ↑