search

MinterTeam / minter-console-web

Official Minter Console website
https://console.minter.network
MIT License
35 stars 22 forks source link

unencrypted seed phrases in leveldb file #16

Open azzsoft opened 4 years ago

azzsoft commented 4 years ago

Tested version: minter-console-0.6.2-portable-x64.exe All seed phrases, which have been submitted in the login form are stored unencrypted in the following plain text file: \Users\\AppData\Roaming\minter-console-web\Local Storage\leveldb\000003 Seed phrases are accumulated in this file and moreover are not being cleared after logging out. This is a very critical vulnerability, which confuse users, as they think, the solution from minter team is secure.

shrpne commented 4 years ago

Thank you for reaching out!

Seed phrases are accumulated in this file and moreover are not being cleared after logging out.

Indeed there was a problem with Windows. It should be fixed in v0.6.3. Now it should clear Local Storage\leveldb\000003.log after user logout and exit the app.

All seed phrases, which have been submitted in the login form are stored unencrypted

This behavior of storing data is defined by Chromium and it is pretty hard to change. Also if we try to use another storage, we still have to use password to encrypt data and password to decrypt. So why asking the user a password to decrypt mnemonic and login if we could ask mnemonic itself. So mnemonic still will be stored in this file if user decides not to logout and preserve its session.

azzsoft commented 4 years ago

Good evening and thank you for the fix and reply,

I've tested the version 0.6.3 and there are no changes in this security issue: to reproduce the bug I've deleted the whole directory

<windows_drive>\Users<username>\AppData\Roaming\minter-console-web

before starting the new version of the console.

After logging out, the seed phrase is still in the 000003.log file unencrypted.

In addition I would say that your approach in fixing the issue just slightly mitigates the risks of the seed phrase being stolen. As long as the user logged into console, the seed phrase is exposed and available through any process, which runs under the current user. I would prefer a slightly better approach, you could just encrypt the seed phrase on the fly as soon as the user has logged in, the encription credentials could be stored in memory during the working session, till the user does logout. For transaction signing process you can decrypt/encrypt the seed phrase on the fly.

Hope that my reply will help. Regards azz