search

MetaMask / metamask-extension

:globe_with_meridians: :electric_plug: The MetaMask browser extension enables browsing Ethereum blockchain enabled websites
https://metamask.io
Other
11.97k stars 4.9k forks source link

Security alerts - We should run a new validation when transaction is edited on extension #22554

Open seaona opened 9 months ago

seaona commented 9 months ago

Describe the bug

Problem: whenever a dapp transaction is triggered, ppom validates that transaction data. However, if you Edit the transaction, the ppom result is not updated with the new transaction data

Expected behavior

If the transaction is edited, the validation should happen again.

Screenshots/Recordings

https://github.com/MetaMask/metamask-extension/assets/54408225/06458b21-2d61-434c-ab4b-4b56c078e665

Steps to reproduce

  1. Trigger a malicious send transaction from the test dapp
  2. Edit the transaction, and change the recipient to a known benign address (your address)
  3. Confirm
  4. See how the validation remains the same as before: flagged as benign

Error messages or log output

No response

Version

11.9.0 also happening in prod

Build type

None

Browser

Chrome

Operating system

Linux

Hardware wallet

No response

Additional context

No response

Severity

No response

seaona commented 7 months ago

this might be higher priority due to the multichain work

github-actions[bot] commented 3 months ago

This issue has been automatically marked as stale because it has not had recent activity in the last 90 days. It will be closed in 45 days if there is no further activity. The MetaMask team intends on reviewing this issue before close, and removing the stale label if it is still a bug. We welcome new comments on this issue. We do not intend on closing issues if they report bugs that are still reproducible. Thank you for your contributions.