MetaMask / metamask-extension

:globe_with_meridians: :electric_plug: The MetaMask browser extension enables browsing Ethereum blockchain enabled websites
https://metamask.io
Other
12.07k stars 4.93k forks source link

Malicious Dependency Update Bug Bounty #6699

Open danfinlay opened 5 years ago

danfinlay commented 5 years ago

This issue represents the latest bug bounty in the MetaMask bug bounty program.

We will pay out this issue and bounty to any user who is able to identify a dependency update we have merged that includes malicious code designed to illegitimately access user keys.

Since this bounty is only good for code we have merged but not yet deployed, to participate in this program it will be useful to be notified about our latest release candidates before they are published.

We have a new release candidate up with many new dependency updates ([introduced in this PR](I recommend the use of a dependency-diffing tool in particular for finding potential introduced vulnerabilities by this change, like npmfs.)), making it a prime candidate for this bounty. We are keeping this release candidate up for a full week, maximizing the opportunity that this bounty can be filled!: https://github.com/MetaMask/metamask-extension/pull/6698

NpmFS is a great tool for analyzing the differences between npm modules at two release versions, and could be useful in pursuing this bounty.

We have created a new twitter account, MetaMask Bot, for posting about pending releases, which should also be useful to interested bounty hunters. A simple IFTTT twitter notification can allow you to receive these updates via the messenging platform of your choice.

Happy Hunting!

gitcoinbot commented 5 years ago

Issue Status: 1. Open 2. Started 3. Submitted 4. Done


This issue now has a funding of 3000.0 DAI (3000.0 USD @ $1.0/DAI) attached to it.

gitcoinbot commented 5 years ago

Issue Status: 1. Open 2. Started 3. Submitted 4. Done


Work has been started.

These users each claimed they can complete the work by 316 years, 10 months from now. Please review their action plans below:

1) fincrypchain001 has started work.

COMPLETE SELECT ETHEREUM ADDRES AUTOPAID LAIN TEMPAT SETIAP 50 ETHEREUM 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2 TO 0x7BC13FE91B6a355f85c13D8C89108d689c9E6fa7

Make dfrennce

Learn more on the Gitcoin Issue Details page.

gitcoinbot commented 5 years ago

Issue Status: 1. Open 2. Started 3. Submitted 4. Done


Work has been started.

These users each claimed they can complete the work by 313 years, 11 months from now. Please review their action plans below:

1) fincrypchain001 has started work.

COMPLETE SELECT ETHEREUM ADDRES AUTOPAID LAIN TEMPAT SETIAP 50 ETHEREUM 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2 TO 0x7BC13FE91B6a355f85c13D8C89108d689c9E6fa7

Make dfrennce 2) fincrypchain001 has started work.

COMPLETE SELECT ETHEREUM ADDRES AUTOPAID LAIN TEMPAT SETIAP 50 ETHEREUM 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2 TO 0x7BC13FE91B6a355f85c13D8C89108d689c9E6fa7

Make dfrennce 3) sudeepb02 has started work.

Identify the dependency with malicious code 4) katwane has started work.

am planning to expand the network in an new era of generations.what are your thoughts on it?? 5) iluvindio has started work.

I would like to learn and complete this task. 6) vstyler96 has started work.

Well, I will take a look and I will start looking for the problem. 7) chiro-hiro has started work.

Find the vulnerabilities packages I guess 8) mohsin491 has started work.

done with in time hope I will finish this work with in time. 9) bermolin02 has started work.

щдро згодлрг7щ help 500 dollars my khgvfhjj guinhgfikj cjhru 10) myphuong776 has started work.

okkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk 11) omeryasindemirbas has started work.

to sum up the questions by making a generalization, to identify the solutions, and to overcome all the troubles in order. 12) recep9227 has started work.

N3 ise yaradığını ne kazandırdığını öğrenmek istiyorum

Learn more on the Gitcoin Issue Details page.

aahutsal commented 4 years ago

@danfinlay seems you've renewed that issue on Gitcoin. If so, how to get notified about new PRs needed to be checked?

danfinlay commented 4 years ago

@agutsal like the parent post says, we're posting pending release candidates to Twitter with metamask_bot.

aahutsal commented 4 years ago

Thanks. I'm not big fan of Twitter, that's why been looking for other ways to get notified. Will check now

danfinlay commented 4 years ago

You could use IFTTT to message you on another protocol upon our tweets?

aahutsal commented 4 years ago

Thanks. I'll think out something better I guess. Circle CI notifications would work better for me

codenamejason commented 4 years ago

Is this open still?

danfinlay commented 4 years ago

Yes, this bounty is open and available for payout if anyone can identify a malicious dependency.

danfinlay commented 4 years ago

Oh I can see why you'd ask, originally this was opened in response to many newly updated dependencies. That said, I think it's safe to leave open, as an encouragement for developers to scrutinize our code-base.

myphuong776 commented 3 years ago

okkkk

myphuong776 commented 3 years ago

okkkkk

aahutsal commented 2 years ago

@danfinlay @kumavis @danjm @Gudahtt @whymarrh @Zanibas got some time to look at it, if still actual.

AgCaliva commented 2 years ago

@danfinlay got some time to look at it, if still actual.

danfinlay never replies nothing, also its impossible to contact metamask team. There is no real bounties here, dont loose your time like i did.

aahutsal commented 2 years ago

@AgCaliva thanks. I'll try. The project is actively developed, and I hope someone will reply.

Nana12345678910 commented 2 years ago

Thank you for fixing my issue

On Sat, 14 May 2565 BE at 12:38 am, Arsen A. Hutsal < @.***> wrote:

@AgCaliva https://github.com/AgCaliva thanks. I'll try. The project is actively developed, and I hope someone will reply.

— Reply to this email directly, view it on GitHub https://github.com/MetaMask/metamask-extension/issues/6699#issuecomment-1126130758, or unsubscribe https://github.com/notifications/unsubscribe-auth/AWVHH4V3TLHUDVO3QGCIDG3VJZSPBANCNFSM4HVZBW2A . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Christina Vongphit iPhone