Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[hackerone]: blind cross chain signing should be prevented #29798

Closed
kdenhartog opened this issue Apr 17, 2023 · 5 comments · Fixed by brave/brave-core#18200
Closed

[hackerone]: blind cross chain signing should be prevented #29798

kdenhartog opened this issue Apr 17, 2023 · 5 comments · Fixed by brave/brave-core#18200
Assignees
@yrliou
Labels
feature/web3/wallet/core feature/web3/wallet/solana feature/web3/wallet Integrating Ethereum+ wallet support OS/Android Fixes related to Android browser functionality OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass - Android ARM QA Pass-Linux QA/Yes release-notes/include sec-high security
Milestone
1.51.x - Release

Comments

@kdenhartog
Copy link
Member

see https://hackerone.com/reports/1951016
@kdenhartog kdenhartog added security sec-high priority/P2 A bad problem. We might uplift this to the next planned release. OS/Android Fixes related to Android browser functionality OS/Desktop feature/web3/wallet/solana feature/web3/wallet/core labels Apr 17, 2023
@yrliou yrliou self-assigned this Apr 18, 2023
@yrliou yrliou mentioned this issue Apr 22, 2023
Merged
25 tasks
@brave-builds brave-builds added the feature/web3/wallet Integrating Ethereum+ wallet support label Apr 22, 2023
@brave-builds brave-builds added this to the 1.52.x - Nightly milestone Apr 22, 2023
@yrliou yrliou mentioned this issue Apr 24, 2023
Merged
7 tasks
@kjozwiak
Copy link
Member

@diracdeltas should this be release-notes/include as it's a report from HackerOne?

@kjozwiak
Copy link
Member

The above requires 1.51.105 or higher for 1.51.x verification 👍

@diracdeltas
Copy link
Member

@kjozwiak yeah, we can just use the PR title for the release notes: "Reject Solana SignTransaction/SignAllTransactions when blockhash is invalid (credit: https://hackerone.com/julianor)"

@LaurenWags LaurenWags mentioned this issue May 1, 2023
Closed
@srirambv
Copy link
Contributor

srirambv commented May 2, 2023

Verification passed on

Brave 1.51.109 Chromium: 113.0.5672.63 (Official Build) (64-bit)
Revision 0e1a4471d5ae5bf128b1bd8f4d627c8cbd55f70c-refs/branch-heads/5672@{#912}
OS Linux
  • Verified steps from brave/brave-core#18200 using https://pwgoom.csb.app
  • Verified clicking on Sign Transaction (Invalid blockhash) doesn't show the panel for approval but instead shows [error] signTransactionWithInvalidBlockhash: {"code":-32603,"message":"Blockhash is invalid or can not be validated"}
  • Verified clicking on Sign All Transaction (Invalid blockhash) doesn't show the panel for approval but instead shows [error] signAllTransactionsWithInvalidBlockhash: {"code":-32603,"message":"Blockhash is invalid or can not be validated"}
  • Verified Sign Transaction (Invlalid blockhash) and Sign All Transactions (Invalid blockhash) fails when both Solana Mainnet and Solana Devnet are set as active network
    29798-2.mp4
  • Verified steps from brave/brave-core#18200 of using the PoC setup
  • Verified when no funds in Mainnet and attempt to send funds shows Result: Error: failed to send transaction: Transaction simulation failed: Attempt to debit an account but found no record of a prior credit. error message
  • Verified when switching to Devnet and attempt to send funds shows Result: Error: Blockhash is invalid or can not be validated
    29798-1.mp4

Verified Sign Transaction and Sign All Transactions (multiple) works as expected.

29798-3.mp4

@srirambv
Copy link
Contributor

srirambv commented May 3, 2023

Verification passed on Oppo Reno 5 with Android 13 running 1.51.109 x64 build

  • Verified steps from brave/brave-core#18200 using https://pwgoom.csb.app
  • Verified clicking on Sign Transaction (Invalid blockhash) doesn't show the panel for approval but instead shows [error] signTransactionWithInvalidBlockhash: {"code":-32603,"message":"Blockhash is invalid or can not be validated"}
  • Verified clicking on Sign All Transaction (Invalid blockhash) doesn't show the panel for approval but instead shows [error] signAllTransactionsWithInvalidBlockhash: {"code":-32603,"message":"Blockhash is invalid or can not be validated"}
  • Verified Sign Transaction (Invlalid blockhash) and Sign All Transactions (Invalid blockhash) fails when both Solana Mainnet and Solana Devnet are set as active network
  • Verified Sign Transaction and Sign All Transactions (multiple) works as expected
29798.mp4

@kjozwiak kjozwiak mentioned this issue May 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yrliou yrliou

Labels
feature/web3/wallet/core feature/web3/wallet/solana feature/web3/wallet Integrating Ethereum+ wallet support OS/Android Fixes related to Android browser functionality OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass - Android ARM QA Pass-Linux QA/Yes release-notes/include sec-high security
Projects
None yet
Milestone
1.51.x - Release
Development

Successfully merging a pull request may close this issue.

Reject Solana SignTransaction/SignAllTransactions when blockhash is invalid brave/brave-core
6 participants
@diracdeltas @kjozwiak @yrliou @srirambv @kdenhartog @brave-builds