Description

The Reclaim app uses a WebView to render the callback and authentication pages. The WebView components listen to message events sent by injected JavaScript running on the embedded webpages. However, Reclaim does not validate the origin of these messages against an expected value, allowing a malicious cross-origin webpage to impersonate the expected origin.

This issue occurs in reclaim-app/src/lib/webviewRpc/webviewRpc.tsx:

export function useWitnessWebview() {
    // ...
    <WebView
        // ...
        onMessage={(data) => {
            // ...
            const rpcResult = data.nativeEvent.data
            const parsed = JSON.parse(rpcResult)

This issue also occurs in reclaim-app/src/provider/screens/HttpAuthentication.tsx:

const HttpAuthentication = forwardRef<object, refProps>((props, compRef) => {
    // ...
    <WebView
        // ...
        onMessage={async (event) => {
            const rawMessage = event.nativeEvent.data
            const messageData = JSON.parse(rawMessage)

Impact

Malicious websites can prompt the user to sign a message about an account they do not own. This may lead to the user inadvertently connecting their account to the attacker's profile.

Recommendations

The Reclaim app should validate the origin of postMessages sent to the WebView components.

Remediation