Can export even without knowing the wallet password

[mr-j0nes]

Correct me if I am wrong but I think the Export Wallet functionality has an issue.

Let's say I have installed in my phone BitPay or CoPay and I have a wallet protected with a long password,

If anybody has access to my phone, that person can go to "Wallet Settings -> Advance -> Export Wallet -> File/text." In "Set Up a Password" and "Repeat the Password" can type "123" and click "Send by email" and sends the text to her/his email address.

Later the attacker can install BitPay or CoPay in his phone and start by importing the wallet, when going to import from "File/text" paste the text in the email and as password type "123". The wallet is imported without problems..

BitPay Windows v1.2.0 BitPay Android v1.2.0 CoPay Android v2.6.0

[JDonadio]

Hi @mr-j0nes, regarding the security scenario mentioned, I'm sure that the spending passowrd is requested before be copied to the clipboard or show up the send by email options. I'm trying in different platforms and works fine.

[mr-j0nes]

Sorry I didn't clarify. The long password I meant is the one associated with the private key. I have not set any spending password. When I created the wallet I set it with a long password and this was ignored when exporting it.

PS: Thanks for the super quick replay.

[JDonadio]

@mr-j0nes when you try to import a wallet and if you don't specific one in password field, this will happen:

The importing process always check for encrypted fields of the wallet what you are trying to add.

[mr-j0nes]

The recovering is with "File/Text" not with "Recovery Phrase".

Ok here is the whole procedure to recreate the issue. Now I'm just using BitPay for Windows for this test:

1. Create a wallet
   • On Home press the "+" symbol
   • Choose "New personal wallet" and name it "Personal Wallet Test"
   • Expand advance options and set "Encrypt with a Password"
   • Set as password "ThisIsALongPassword" and check "I have written it down"
   • Click "Create wallet"

We created our wallet and it appears in home (Backup of Recovery Phrase is optional)

2. Export

   • Go to "Settings" and click on "Personal Wallet Test"
   • Click "More options" and on "Export Wallet"
   • We are on File/Text on "Set as password" and "Repeat the password" type "123"
   • Click "Download" and save the json file.

3. Delete

   • Go to "Settings" and click on "Personal Wallet Test"
   • Click "More options" and on "Delete Wallet"
   • Click on "Delete Personal Wallet Test" and "Ok"

We have deleted our wallet and it does not appear in home anymore

4. Import
   • On Home press the "+" symbol
   • Choose "Import wallet"
   • Select the tab of "File/Text"
   • Click on "Choose file" and select the json file
   • As password type "123" and click "Import backup"

Now we have the "Personal Wallet Test" imported successfully without using the password "ThisIsALongPassword". It appears again in home...

[matiu]

Hi @mr-j0nes

There is an error on the text of the app, that leads to this issue.

The passphrase that is optionally set at the moment you create the wallet is an optional salt to the "words to private key" derivation. (See https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#from-mnemonic-to-seed ). It does not encrypt the wallet. This passphrase is only useful to protect the WORDS: if you store the 12 words somewhere and an attacked grabs them, he will need the passphrase to derive your wallet. But it does NOT protect the wallet once it is installed on the device. For that you need the "spending password", that encrypts the private key, and it is asked everytime you need to use it.

We will fix this text error (that only happens in Bitpay App, not in Copay) today, and release a new version with the fix.

Thanks a lot for the detailed report.