Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

From Audit: The Misuse of Window.open Makes Wallet Vulnerable to Reverse Tabnabbing Attack #130

Open
josietyleung opened this issue May 10, 2022 · 0 comments
Open

From Audit: The Misuse of Window.open Makes Wallet Vulnerable to Reverse Tabnabbing Attack #130

josietyleung opened this issue May 10, 2022 · 0 comments
Assignees
@mihailmarcu
Labels
good first issue Good for newcomers

Comments

@josietyleung
Copy link

@josietyleung commented on Tue May 10 2022

Synopsis
The current implementation of the wallet is using window.open to access external websites, such as https://emeris.com/privacy. If an attacker injects malicious code in that website, they can rewrite the source page and substitute it with a phishing website. This type of attack is known as reverse tabnabbing.

Impact
With a reverse tabnabbing attack, the user who initially opens the original and correct webpage is unlikely to notice the webpage has been replaced with the phishing website. This will likely lead to the user sharing their credentials and other sensitive data with the phishing website. This could lead to a complete loss of funds or wallet takeover.

Refer to full audit report first - Issue G

https://allinbits.slack.com/archives/C02U9SVJT97/p1652107168347859
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mihailmarcu mihailmarcu

Labels
good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@eitjuh @mihailmarcu @josietyleung