On July 7th a vulnerability in the Hiro Wallet web extension was reported affecting the authentication feature of wallet in versions earlier than v3.11.2.
It was discovered that insufficient validation was taking place on the configuration passed to authentication mechanism. This would allow an attacker to craft a malicious authentication request, and if approved, obtain the appPrivateKey of any domain passed.
Impact
The appPrivateKey is passed to the app in order to encrypt data stored on Gaia, a Stacks storage solution. If an attacker would convince a user into performing authentication, they would be able to access the appPrivateKey of any domain. As such, putting user data at risk.
No funds were at risk of loss because of this vulnerability.
Cause
The appPrivateKey is generated by the @stacks/wallet-sdk library. It is derived as a hash of:
-
the requesting app’s domain
-
a value derived from the user’s private key
The wallet passed the origin of the redirect_uri to the library, rather than the origin of the requesting domain. As this is set by the user, it could match any domain. This resulting key would then be returned to the app.
Patch
The wallet now validates that the redirect_uri value matches the origin of the requesting domain. Further, only the requesting origin’s domain is passed to the @stacks/wallet-sdk library.
Web Extensions are automatically updated by the browser, users do not need to take any direct action to get the latest version.
Timeline
- Vulnerability reported 00:32 July 7th
- Patch merged 14:23 July 7th
Attributions
Credit to Hank Stoever (Mechanism.so) for the vulnerability report.