Disclosure of resolved appPrivateKey vulnerability in Hiro Wallet

On July 7th a vulnerability in the Hiro Wallet web extension was reported affecting the authentication feature of wallet in versions earlier than v3.11.2.

It was discovered that insufficient validation was taking place on the configuration passed to authentication mechanism. This would allow an attacker to craft a malicious authentication request, and if approved, obtain the appPrivateKey of any domain passed.


The appPrivateKey is passed to the app in order to encrypt data stored on Gaia, a Stacks storage solution. If an attacker would convince a user into performing authentication, they would be able to access the appPrivateKey of any domain. As such, putting user data at risk.

No funds were at risk of loss because of this vulnerability.


The appPrivateKey is generated by the @stacks/wallet-sdk library. It is derived as a hash of:

  1. the requesting app’s domain

  2. a value derived from the user’s private key

The wallet passed the origin of the redirect_uri to the library, rather than the origin of the requesting domain. As this is set by the user, it could match any domain. This resulting key would then be returned to the app.


The wallet now validates that the redirect_uri value matches the origin of the requesting domain. Further, only the requesting origin’s domain is passed to the @stacks/wallet-sdk library.

See the pull request here →

Web Extensions are automatically updated by the browser, users do not need to take any direct action to get the latest version.


  • Vulnerability reported 00:32 July 7th
  • Patch merged 14:23 July 7th


Credit to Hank Stoever (Mechanism.so) for the vulnerability report.