Important note: This disclosure pertains to the web version of the Stacks Wallet, which is available as a browser extension for testing purposes only. It is not relevant to the desktop version for MacOS, Windows or Linux. As with any test software, please do not use the web version referenced here for managing any significant STX holdings or entering a secret or private key tied to any significant STX holdings. Use the desktop version instead.

On Feb 25th 2020 at 15:59 GMT, a vulnerability was discovered on the release/canary branch of the alpha version of the Stacks Wallet for web browser extension while undergoing a security audit with Least Authority.

Upgrade to the latest version of the Stacks Wallet for web now

The vulnerability could allow an attacker to embed the legitimate extension via an <iframe> within a malicious website. By placing the <iframe> containing the “Save your Secret Key” page of the extension transparently underneath a button on the malicious webpage, a user could be coerced into clicking the “Copy Secret Key” button and sharing permissions for the attacker to read the clipboard, thus revealing their Secret Key. This is known as a clickjacking attack.

The Hiro team released a patch on Feb 25th 2021 at 19:48 GMT, adding the frame-ancestors Content Security Policy (CSP) directive and rendering this exploit impossible.

We are not aware of any instances where this vulnerability has been exploited.

If you are using the Stacks Wallet for web for any reason, please update immediately by installing the latest version.

Note that this web version of the Stacks Wallet was released, and remains, in alpha version because of the ongoing security audit as well as other improvements required before it can arrive at beta status. Accordingly, this alpha version should be used for testing and development purposes only.

We continue to advise against its use with any significant amount of STX tokens or with any secret or private key tied to any significant amount of tokens. We may continue to uncover possible exploits as we proceed with the security audit.

Users looking to manage their STX holdings with a stable and audited version of the Stacks Wallet may use the desktop Stacks Wallet instead.

We will release the full security report by Least Authority once the audit is completed entirely.

Save your Secret Key before upgrading:

Your session and related Secret Key will get erased from memory upon upgrading to the latest version of Stacks Wallet. As such, it’s vital that you save a copy of your Secret Key elsewhere beforehand.

If you haven’t yet saved your Secret Key, follow these instructions to do so:

1. Click on the Stacks Wallet extension icon in your browser

2. Select the three-lined menu in the top-right corner of the popup

3. Select “View Secret Key”

4. View and copy your Secret Key elsewhere (e.g. onto paper)

You will be asked to re-enter your Secret Key into the upgraded extension upon install.