Synopsis
The background script does not validate which method a request is attempting to call in the Emeris browser extension wallet, allowing attackers to call arbitrary functions in the internal emeris object. This allows attackers to call the popupHandler function directly and subsequently call getMnemonic. If an attacker is able to guess the password of the wallet, the mnemonic can be exfiltrated from the wallet.
Impact
A user’s seed phrases can be exfiltrated from the wallet without their knowledge. This would result in the loss of all their funds.
Remediation
We recommend implementing a check in pageHandler that verifies that request.action belongs in a pre-approved list of functions. Additionally, we recommend that validation be performed in the content-script that inspects the message to make sure that the data is structured only in the way expected by the requesting functions
Synopsis The background script does not validate which method a request is attempting to call in the Emeris browser extension wallet, allowing attackers to call arbitrary functions in the internal emeris object. This allows attackers to call the popupHandler function directly and subsequently call getMnemonic. If an attacker is able to guess the password of the wallet, the mnemonic can be exfiltrated from the wallet.
Impact A user’s seed phrases can be exfiltrated from the wallet without their knowledge. This would result in the loss of all their funds.
Remediation We recommend implementing a check in pageHandler that verifies that request.action belongs in a pre-approved list of functions. Additionally, we recommend that validation be performed in the content-script that inspects the message to make sure that the data is structured only in the way expected by the requesting functions
Refer to full audit report first - Issue A
https://allinbits.slack.com/archives/C02U9SVJT97/p1652107168347859