Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Reclaim Protocol>Medium findings>Callback address bar not updated after navigation
GeneralOverview
Findings
Critical (4)
High (2)
Medium (5)Cross-site scripting via `postMessage`Address bar not updated after failed navigationCallback address bar not updated after navigationLack of WebView `postMessage` origin validationLack of TLS ALPN validation
Low (6)
Informational (2)
DiscussionSpoofing risk via website data format instabilitySpoofing risk via insecure contains/RegEx checksSensitive data exposure riskUser-phishing riskLack of `postMessage` origin validationProxy/scraping service usageNode centralization risk
Audit ResultsSummary
Category: Coding Mistakes

Callback address bar not updated after navigation

Medium Severity
Medium Impact
Medium Likelihood

Description

The Reclaim app uses a WebView component to display the content of the callback webpage. It displays an address bar above the WebView. But, this address bar does not update whenever the WebView navigates to a new page.

This issue occurs in reclaim-app/src/screens/Submit.tsx:

const Submit: React.FC<Props> = (props) => {
  // ...
  return (
    // ...
    <ProviderSubheading numberOfLines={1}>{template.callbackUrl}</ProviderSubheading>

Impact

Untrusted JavaScript running on callback pages (such as in an iframe) may trigger a top frame navigation to a malicious page that disguises itself as the trusted origin. This can convince the user to enter their credentials or reveal other sensitive information to the attacker's website.

Recommendations

The Submit component should update the address bar to correctly reflect the origin of the displayed page.

Remediation

Zellic © 2025Back to top ↑