aaronisme
commented
3 years ago @fnord123 Thanks for your question and actually I will raise PR to your tool to make it easy to validate the UUID.
Closed fnord123 closed 3 years ago
aaronisme
commented
3 years ago @fnord123 Thanks for your question and actually I will raise PR to your tool to make it easy to validate the UUID.
aaronisme
commented
3 years ago @fnord123 Here the PR for your tool https://github.com/fnord123/CoboSyncVerifier/pull/1, any questions free to contact us. :)
fnord123
commented
3 years ago Thank you, this is an excellent resolution. I will do some prettying up on my end then report my findings so that others can also do self verification. I am impressed at Cobo team's responsiveness.
One small suggestion - don't call it a UUID. A UIID has a specific meaning and format that Cobo doesn't follow, which is what got me worried. Perhaps use a more neutral term like 'fingerprint' or 'wallet identifier', which would be less confusing.
aaronisme
commented
3 years ago Thank you, this is an excellent resolution. I will do some prettying up on my end then report my findings so that others can also do self-verification. I am impressed at the Cobo team's responsiveness.
One small suggestion - don't call it a UUID. A UIID has a specific meaning and format that Cobo doesn't follow, which is what got me worried. Perhaps use a more neutral term like 'fingerprint' or 'wallet identifier', which would be less confusing.
Yes! the reason why we use its way to calculate the “UUID” (I think wallet id will be a better name) is because of some historical reason, we have to be compatible with our first-gen product. and in the coming future, we have the plan to replace it with the master fingerprint
Cobo Vault displays a series of QR codes to the Cobo App during pairing. These QR codes could in theory be used to share a user's secret keys (and thus access to their cryptocurrency) with the app.
It would be beneficial to allow users to independently verify that the QR codes displayed do not contain any secret information. To that end, I've created a python script for doing so, found here.
While most of the content of the QR codes displayed by the Cobo Vault looks fine, there is a suspicious alleged "UUID" present that could be leaking secrets. It isn't actually a UUID, both in format and in length - in fact, it is plenty long enough to carry a secret in it.
Issue 14 previously raised this, and the submitter eventually included instructions for how they successfully verified the UUID was not leaking secrets, however, I am unable to follow their directions successfully. I've used Ian Coleman's BIP39 tool as suggested in that issue but cannot find a match anywhere to the contents of the UUID that is displayed in Cobo Vault's QR codes.
Cobo team, please provide clear instructions how to take the UUID and prove it contains no secrets. Either that, or change the UUID to something that is much shorter and thus cannot leak secrets - e.g. a CRC32 of the first xpub or something like that.
I want to make it clear that I am doing this because I think Cobo Vault is one of the best solutions out there in terms of security, except for this one issue around the UUID. I'd like to be able to tell my friends and others that Cobo Vault is the best solution, but can't do so as long as I cannot validate this UUID.
I would be happy to work with the Cobo team to answer any questions, including providing the BIP39 seed I used as a test vector as it is an empty wallet that is only used for the present case, as well as the QR codes the Cobo Vault showed, etc.