search

brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.
https://brave.com
Mozilla Public License 2.0
17.84k stars 2.33k forks source link

Misleading Signing Request Message (BRA-Q322-7) #24816

Closed josheleonard closed 2 years ago

josheleonard commented 2 years ago

Description

Brave Wallet is a non-custodial wallet, and only its users have sole control of their private keys. With the help of Brave Wallet, users can conveniently perform multiple cryptographic operations, such as sign transactions or arbitrary messages. Such signed messages could be used for a variety of use cases including, but not limited to: • authenticate users • sign off-chain messages for on-chain protocols, etc.

Great care should be taken to show a user exactly what the website requires to sign, and warn in the case of any suspicious scenarios.

In the sign-request window, the Brave Wallet renders all input Unicode characters. This makes the following phishing scenarios possible: • using new line characters to hide the actual payload in the non visible area of the sign request dialog (no scrollbar is shown to the user until the forcible scrolls in the right area of the window) • using Right-To-Left character to change direction of the rendered text

Steps to Reproduce

  1. Unlock the MacOS version of the Brave Wallet and navigate to any connected website
    1. Open the developer console and execute the following JavaScript code: window.ethereum.request({"method":"personal_sign","params":["
      ", "Main Message\nEvil payload is below \n\n\n\n\n\n\n\n\n\n\n\nMy Evil payload"],"id":1})
    2. Note that
      should be changed to your account address
    3. Verify a dialog presented to the user
    4. Click Cancel and execute the following JavaScript code: window.ethereum.request({"method":"personal_sign","params":["
      ", "Sign into \u202E EVIL"],"id":1})
    5. Verify a dialog presented to the user. It contains text "Sign into LIVE"

Actual result:

Dialog presented to the user. It contains text "Sign into LIVE"

Expected result:

Show to the user a warning message about non-ASCII characters in the message requested for signing. Alternatively, Hex-encode non-visible characters, so they are always visible to the user. Always show a scrollbar indicating that not a whole message is currently visible to the user. Additionally, it is recommended to show a warning message in case of the presence of any Unicode characters, which changes the direction of the text.

Reproduces how often:

Easily

srirambv commented 2 years ago

Verification passed on

Brave 1.45.95 Chromium: 106.0.5249.103 (Official Build) beta (64-bit)
Revision 182570408a1f25ab2731ef5f283b918df9b9f956-refs/branch-heads/5249_91@{#6}
OS Linux

https://user-images.githubusercontent.com/17010094/196100862-142b9740-224f-49d5-a66e-ad2ebfd050f1.mp4

Verification passed on

Brave 1.45.95 Chromium: 106.0.5249.103 (Official Build) beta (64-bit)
Revision 182570408a1f25ab2731ef5f283b918df9b9f956-refs/branch-heads/5249_91@{#6}
OS Windows 11 Version 21H2 (Build 22000.978)

https://user-images.githubusercontent.com/17010094/196100909-9975cd19-556b-4f37-956f-267ab6bfcd4b.mp4

Verification passed on

Brave 1.45.95 Chromium: 106.0.5249.103 (Official Build) beta (arm64)
Revision 182570408a1f25ab2731ef5f283b918df9b9f956-refs/branch-heads/5249_91@{#6}
OS macOS Version 12.4 (Build 21F79)

https://user-images.githubusercontent.com/17010094/196101463-ce4b7505-6c61-47e6-8b91-04a4652ab851.mov