Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Reclaim Protocol>Discussion>Sensitive data exposure risk
GeneralOverview
Findings
Critical (4)
High (2)
Medium (5)
Low (6)
Informational (2)
DiscussionSpoofing risk via website data format instabilitySpoofing risk via insecure contains/RegEx checksSensitive data exposure riskUser-phishing riskLack of `postMessage` origin validationProxy/scraping service usageNode centralization risk
Audit ResultsSummary

Sensitive data exposure risk

The app debug log file contains sensitive credentials/user data, but the app does not notify the user that the log file contains sensitive information when prompted to share it. This increases the likelihood that users will fall victim to social engineering.

The following code is from reclaim-app/src/screens/Https.tsx:

const payload = claim.requestedClaim.payload

const createAndShareFile = async () => {
    const fileName = 'logs.txt'
    const filePath = `${RNFS.DocumentDirectoryPath}/${fileName}`
    dispatch(addLog(JSON.stringify({ ...payload, type: 'payload' })))
    // [...]
    const shareOptions = {
        title: 'Share via',
        subject: 'Debug Logs',
        url: `file://${filePath}`,
        type: 'text/plain',
    }
    await Share.open(shareOptions)
}
Zellic © 2025Back to top ↑