Synopsis
The password used to decrypt the Emeris browser extension wallet is stored in the session storage and is used in the changePassword function so that the wallet’s password can be changed using the password stored in memory. Although the UI requires the user to authenticate with the current password at an earlier stage of the flow, if an attacker manipulates the state of the application, the password stored in memory could be used to change the wallet’s password.
Impact
An attacker can extract the password from memory. The extracted password can be used with all changePassword functions to change the password, disabling the user from unlocking the wallet. Additionally, the attacker could use the extracted password to attempt authentication on other platforms, as users tend to use similar passwords across different platforms.
Synopsis The password used to decrypt the Emeris browser extension wallet is stored in the session storage and is used in the changePassword function so that the wallet’s password can be changed using the password stored in memory. Although the UI requires the user to authenticate with the current password at an earlier stage of the flow, if an attacker manipulates the state of the application, the password stored in memory could be used to change the wallet’s password.
Impact An attacker can extract the password from memory. The extracted password can be used with all changePassword functions to change the password, disabling the user from unlocking the wallet. Additionally, the attacker could use the extracted password to attempt authentication on other platforms, as users tend to use similar passwords across different platforms.
Refer to full audit report first - Issue I
https://allinbits.slack.com/archives/C02U9SVJT97/p1652107168347859