BuildOnViction / bug-reports

TomoChain's Bug Report & Support
https://tomochain.com
17 stars 5 forks source link

Security Issue when opened on separate browsers #94

Closed CryptoChaser13 closed 4 years ago

CryptoChaser13 commented 4 years ago

Hello. Let me explain what happened here. I also made a screen record of my encounter which i will just post below.

I have a recently opened dexchange account on my google chrome so the wallet's password is autosaved. I reloaded the dexchange and the "Unlock Wallet" popped-out so i just clicked enter since my session password is already saved. So now i am in ADA/TOMO pair, i tried to submit a buy transaction but to make sure it wont be cancelled, i just picked the lowest price. So now the order was successfully submitted.

Just after i submitted the transaction, i minimized the google chrome for a while and opened the dexchange on mozilla firefox. So now, i need my mnemonic phrase, but just to hide it, i lessened the size the page. I entered another password for this session and now i successfully opened my wallet. To prove that this is the wallet i used on chrome, the Buy order i just submitted in ADA/TOMO pair can be seen below my Open Orders. Now my plan is to cancel that order and will see if it will work. So i tried to cancel it and yes, it really cancelled.

So i go back to the google chrome and now my buy order is cancelled and got lost. I go back again to Mozilla firefox and tried to execute another buy order with low price still ADA/Tomo pair. It was successfully submitted, same also when i checked on google chrome.

My point here is that, if at any circumstance, any customer's info (like mnemonic phrase) got stolen by another person without his knowledge? The stealer can opened the account since it can be opened on sepearate browser at same time. The stealer can't only cancel or make new order of the owner of the account but more worse, their funds can be attacked anytime.

My expection is that when the dexchange is logged in on the first browser (probably by the owner), it must not be allowed to be opened in a second browser or, the same password saved last session must be used in order to open it on the second browser. I hope i explained my point here.

By the way here is the video of the encounter: https://youtu.be/himh_pDZovI

Here is my tomo wallet:

0xafb82d9c2609ead9534774b16f9d1377d2decea3

thanhson1085 commented 4 years ago

Might you do not understand that if you lose your mnemonic or private key, you will lose your fund. No issue with the product.

CryptoChaser13 commented 4 years ago

There are some cases where mnemonic phrases can be stolen by anyone yet maybe your greatest point is that anyone is responsible for securing their information especially the mnemonic phrase or private key.