search

MetaMask / metamask-extension

:globe_with_meridians: :electric_plug: The MetaMask browser extension enables browsing Ethereum blockchain enabled websites
https://metamask.io
Other
11.68k stars 4.78k forks source link

Warn user if they are pasting their SRP into a website #13923

Open danfinlay opened 2 years ago

danfinlay commented 2 years ago

Taken from this community post.

To reduce the risk of being phished by a website, we could monitor when users paste their SRP, and then warn them and log the offending site for possible blocking.

Pasting is available as a DOM api like this:

document.addEventListener('paste', (event) => {
  console.log('pasted', event);
})

We wouldn't want to store the SRP in plaintext in every contentscript (massively increasing its memory footprint), so some other ways we could make it work instead would be:

epheph commented 2 years ago

I mentioned this on the community post, but i think matching 12+ BIP39 words is enough to flag, doesn't even need to be THEIR seed words to trigger the warning.

tayvano commented 2 years ago

Here's wordlist for reference: https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

not sure the fastest way to check if substring / string / array is included in a string / array but i'm sure some blog has the answer.

If we assume longest phrase that is worth checking is 24 words and longest word is 8 characters, we could first check if paste is < 200-300 characters (-300 to give padding for erroneous characters that may be included and because the difference between 200 and 300 characters is v negligible) and only then check against word list. This would eliminate any lag when folks are pasting literal essays, codeblocks, etc. as it eliminates all string searching entirely. We could further only check if string is > 28 characters (min 7 words * min 4 characters of word = min 28 chars)

We could also reduce loops-required-for-success to 8 instead of 12. Assuming searching through 4 words == <2 days and 5 words == <23.4 years, a person pasting 7+ words of 12 word phrase should consider their seed compromised.

Also I just wrote all that but the bip39 spec includes a checksum. We could just attempt to checksum a clipboard between 28-200 characters and if true, warn. This may be fastest and least intrusive. 🙃 Useful findings here: https://smarx.com/posts/2020/08/cracking-bip39-seed-phrases/

epheph commented 2 years ago

The most useful/simple/fast version is probably just checking if a text box has a SRP in it and nothing else. From what i have seen investigating these scams, it is almost always a text box asking for the SRP (either looking like Metamask or a support form). I think we could just iteratively look at the first word in text box against BIP-39 and proceed from there, 12 times, should be very lightweight.