josietyleung
commented
2 years ago Issue moved to EmerisHQ/emeris-extension #130 via ZenHub
Closed josietyleung closed 2 years ago
josietyleung
commented
2 years ago Issue moved to EmerisHQ/emeris-extension #130 via ZenHub
Synopsis The current implementation of the wallet is using window.open to access external websites, such as https://emeris.com/privacy. If an attacker injects malicious code in that website, they can rewrite the source page and substitute it with a phishing website. This type of attack is known as reverse tabnabbing.
Impact With a reverse tabnabbing attack, the user who initially opens the original and correct webpage is unlikely to notice the webpage has been replaced with the phishing website. This will likely lead to the user sharing their credentials and other sensitive data with the phishing website. This could lead to a complete loss of funds or wallet takeover.
Refer to full audit report first - Issue G
https://allinbits.slack.com/archives/C02U9SVJT97/p1652107168347859