chidg
commented
1 year ago Hi @ltfschoen, thanks for the questions. There's a few things to address there.
Firstly, this is the repo for the Talisman Portal (web application). The Talisman extension repo is not yet public, which is why you can't find it, or the commit that is referenced in the audit, or the tags relating to the releases.
The Chaintroopers audit which you have found on our website is not yet finalised and should not have been published. That's our mistake. We have addressed those issues, including the one regarding the password. In regards to that, we believe it was not a particularly large risk in the first place. However we have taken additional steps to mitigate any risk including using strong encryption on the stored password and implementing an automatic timed logout on the extension. These improvements have been in production in the extension for several months now.
We're currently in discussions with the auditor to finalise that audit and will release the final report soon.
We are also in progress towards making the extension repo public, which we hope to do in the next quarter.
Apologies for the confusion on those issues and thanks for taking an active interest in the security of Talisman. Feel free to chat further here or in our Discord.
If I go to https://www.talisman.xyz/wallet, and click the "Download Button" it takes me to this Chrome Extension to download https://chrome.google.com/webstore/detail/talisman-polkadot-wallet/fijngjgcjhjmmpcmkeiomlglpeiijkld It says its Version 1.15.1, Updated March 8, 2023
But when I go to view the associated source code here https://github.com/TalismanSociety/talisman-web so I can download that latest release locally to test it (and ideally verify the checksems and/or GPG keys incase the download was intercepted), I found that there is no Tag with that version https://github.com/TalismanSociety/talisman-web/tags, and there are no Releases at all https://github.com/TalismanSociety/talisman-web/releases, and none of the branches mention a version number.
The Security Audit link in the Github repo takes users to to https://www.talisman.xyz/static/media/talisman-security-audit.1d41357e3e47abcda755.pdf, which is a broken link and returns 404 error.
But if I go to https://www.talisman.xyz/security and click "Read the latest audit", it takes me to a valid yet "Confidential" Security Audit by ChainTroopers timestamped October 21st, 2022, Version 1.1 at https://uploads-ssl.webflow.com/637412e5f6b29b2cb01a253e/639bb1f65ba1add16f8c4f3f_Talisman_Wallet_SecAssessment_report-v1.1_1.pdf, which says it was based on a security assessment conducted June 20th, 2022 to July 5 th, 2022 with retesting performed on October 21st, 2022. the audit was based on commit 'd4625957f9b666d258b1f3a6c6f9c9dfef 3d0aa7' and retesting based on commit '3f9e080bb5c8ba0c5a4c042b52ce12d1a 628f6cc' in repo https://github.com/TalismanSociety/talisman, but that repo doesn't exist anymore so those commits aren't accessible.
The assessment revealed numerous vulnerabilities, one of them "HIGH risk. More precisely, it was identified that when the Wallet is unlocked, the password is stored in extension's memory as part of the “PasswordStore “object. An adversary, who has local access to an unlocked wallet, can steal the seed by circumventing the re-authentication control using the in-memory password (“5.1.1 - Userprovided password is stored in memory”). but i can't check to see how the audit recommendations have been resolved since i can't find the latest code.