search

AlphaWallet / alpha-wallet-android

An advanced Ethereum mobile wallet
https://www.alphawallet.com
MIT License
596 stars 529 forks source link

Dapp browser address bar spoof #2672

Open seabornlee opened 2 years ago

seabornlee commented 2 years ago

https://bugs.immunefi.com/dashboard/submission/8039

Description

Important Note

I have found this same problem on most of the Top 5 crypto wallets(big giants) and they have already fixing this, probably the fix should be out in this week only.

Description

This report is about an AddressBar Spoofing , Similar but not same I have reported in Apple Safari Browser here is the security advisory https://support.apple.com/en-in/HT211934 as well as a few top 5 browsers including Web and Mobile crypto wallets .

This security vulnerability is regarding an AddressBarSpoofing affecting Alpha Wallet Android App Daps Browser! Which allow an attacker to trick the Browser to show a different URL in address bar and different content(Attacker controlled)

Impact 1.Integrity - High That is the most critical part when estimating the impact. First what is the main use case of Daps Browser. User can visit any website and connect that site with there wallet and how they will trust that the website they are visiting is trustable by confirming the URL/AddressBar visible on top of the screen. So the AddressBar is the most critical part of browser specially the Daps Browser.

2.What Google Chrome Security Said According to Google Chrome Security Team, The AddressBar is the most trusted part of a browser, because that is the only way some one can spot wether the domain is legitimate or fake. If we are able to compromise it then we are loosing the Integrity completely. If we are able to spoof/fake a trusted domain name, ex. apple.com now **We have completely lost the integrity because the URL/AddressBar was the trust factor here. Once user received the spoofed domain page, they are more likely to connect there wallet which is a defacto, because as mentioned earlier we are not asking to victim to put there credentials/personal information instead we are asking to connect there wallet with the website FOR WHICH DAPS BROWSER IS MADE ONLY.

Tested

One Plus 5T, Running Android 10 Alpha Wallet Android App Version 3.57.0 Last Updated On 15 June 2022

Risk Breakdown

Difficulty to Exploit: Very Easy Weakness: Untrusted Array Bound Index CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:C/A:N) CVSS v3.1 Vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Recommendation

The flaw is due to an improper implementation of the setInterval function, which allows remote attackers to spoof the address bar via a crafted web page. If you can control the setInterval and do not let it run throughout the page for a defined period! Then it should fix the problem. I will keep you updated with technical details on this.

References https://support.apple.com/en-in/HT211934

https://www.zdnet.com/article/hacker-wins-5000-for-chrome-firefox-address-bar-spoofing-flaw/

Proof of concept Proof of Concept POC Video ( I tried to upload here but due to size limitation I couldn't. I have uploaded my video as Unlisted mode, which is not available publicly. Hope its fine wit you.)

Video URL - https://youtube.com/shorts/d-VVnWuVkS8?feature=share

POC Exploit URL https://intruderpoc.000webhostapp.com/walletpoc/alphaandroidpoc.html

1.Once a user hits this URL from Alpha Android Wallet Browser and click on spoof button the AddressBar will display https://alphawallet.com/ (Screenshot Attached) but the contents are in attacker control. Please let me know if you need more information.

seabornlee commented 2 years ago

I tried update the address bar onPageFinished, and it looks will have the same spoofing issue. When attackers make the page keep not finished. I am trying to make the WebView not usable when loading.