Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Reclaim Protocol>Low findings>Address bar not updated before page load
GeneralOverview
Findings
Critical (4)
High (2)
Medium (5)
Low (6)XSS via ignored content-disposition headerAddress bar not updated before page loadImproper TLS certificate parsingImproper host validation in QR-code proof requestProduction credentials in Git source repositoriesLack of sufficient claim-parameter validation
Informational (2)
DiscussionSpoofing risk via website data format instabilitySpoofing risk via insecure contains/RegEx checksSensitive data exposure riskUser-phishing riskLack of `postMessage` origin validationProxy/scraping service usageNode centralization risk
Audit ResultsSummary
Category: Coding Mistakes

Address bar not updated before page load

Low Severity
Low Impact
High Likelihood

Description

The Reclaim WebView updates the address bar to the new origin while displaying the previous origin's content without any indication that the new page is loading. This may confuse users and lead to phishing attacks.

The address-bar change occurs in reclaim-app/src/components/DevToolWebview/index.tsx:

const DevToolWebView: React.FC<DevTollWebViewProps> = forwardRef(
  // ...
  return (
    <WebView
    // ...
    onNavigationStateChange={({ url }) => {
      ref.current?.injectJavaScript(INJECTION)
      urlInputUpdate(url)
    }}

Impact

An attacker can intentionally slow down the loading of the new page, allowing them to display a phishing page with a legitimate-looking address bar. This may lead users to believe they are visiting a trusted website and choose to enter their credentials or other sensitive information.

Recommendations

The WebView component should indicate when the page is loading with a spinner or similar UI element.

Remediation

Zellic © 2025Back to top ↑