Incident Response/Assessment: Chrome One Wallet Extension

[omhmichaels]

Description

Two members of our community have reached out on talk.harmony.one about having large amounts of one taken. Harmony is launching a vulnerability assessment and analysis of Chrome One Wallet Extensions attack surface.

Context

Timeline

• Nov12:@givp Issued a bounty to identify the root cause of Harmony Chrome Extension wallets account inconsistency.
  • Potential Relation: Reported an issue with the Harmony Chrome Extension whereby upon restoration of a wallet, the wallet holds a different address from the original.
  • Post: [https://github.com/harmony-one/bounties/issues/88]
• Nov18: @RoboValidator Posted about having ten million one stolen. Did not say if he was using one wallet extension on chrome.
  • Post: [Convo] (https://talk.harmony.one/t/offering-bounty-to-the-hacker-who-stole-10m-one/5845)
  • Tx: Transaction
• Nov25: @cowgp Posted about having over 1.6 million one stolen. States he was using the Chrome wallet extension to stake, unstake and redelegate rewards.
  • Post: [Conversation] (https://talk.harmony.one/t/hip-17-blacklist-for-malicious-one-wallet-addresses/3272/63)
  • Tx: Transaction

Acceptance Criteria

**The following must be completed with a report of findings including steps to reproduce. The scope of the assessment done as well as any findings should be clearly described and any should be demonstrated clearly.

Artifact/Lead Collection

Gather and Document Artifacts:

• [] Device Info:
• [] Browser type:
• [] Extension version:
• [] Where mnemonic may have been stored:
• [] List of recently visited websites with the browser of the extension on (all computers and browser profiles) for as far back as possible especially when the un-delegation started.

Leads from conversations with harmony devs and the individuals involved for documentation:

• [] OSINT research into wether the victims wallet addresses where posted publically linking them to posts about there staking activities or linking them to there true identity.

Other artifacts:

• []
• []

Applications Security Info Gathering Credential Generation/Storage

• [] How does the application generate the seed phrase and private key?

• [] How and where does the application store the seed phrase and private key?

• [] Where does wallet/application stores sensitive data, how are they stored?

• [] Does the application enforce a strong password policy?

• Areas of interest: Potential UaF, CSRF, CRLF or [Bruteforce Bypass]() Addition Brute Force TOTP 2fa Info

  • [] Does the application require 2FA or pin code when users attempt to access sensitive information or transfer a token out?

• Networking

  • [] Does the wallet connect to a trustworthy blockchain node?
  • [] Does the application allow users to configure a custom blockchain node, if so, what can a malicious blockchain node do to the application?
  • [] Does the application utilize a cartelized server, what information is sent from the client to the server?
  • [] Does the application server enforce TLS connection?

• Source Code Analysis

  • [] Any secret(ex. API keys, AWS credentials) leaks in the source code repository?
  • [] Does the application third-party libraries and do the contain any vulnerabilities?
  • [] Any notable bad coding practice(ex. misuse cryptography) in the codebase?

• Web Application Vulnerability Assesments

Web Application Security Testing

• [] Review Webpage Content for Information Leakage
• [] Identify Application Entry Points
• [] Map Execution Paths Through Application
• [] Fingerprint Web Application Framework
• [] Fingerprint Web Application
• [] Map Application Architecture
• [] Configuration and Deployment Management Testing

Test Network Infrastructure Configuration

• [] Test Application Platform Configuration
• [] Test HTTP Methods
• [] Test HTTP Strict Transport Security
• [] Test RIA Cross Domain Policy
• [] Test File Permission
• [] Test for Subdomain Takeover
• [] Test Cloud Storage
• [] Identity Management Testing
• [] Test Role Definitions
• [] Test User Registration Process
• [] Test Account Provisioning Process
• [] Testing for Account Enumeration and Guessable User Account
• [] Testing for Weak or Unenforced Username Policy

Authentication Testing

• [] Testing for Credentials Transported over an Encrypted Channel
• [] Testing for Weak Lock Out Mechanism
• [] Testing for Bypassing Authentication Schema
• [] Testing for Vulnerable Remember Password
• [] Testing for Browser Cache Weaknesses
• [] Testing for Weak Password Policy
• [] Testing for Weak Password Change or Reset Functionalities
• [] Testing for Weaker Authentication in Alternative Channel

Authorization Testing

• [] Testing for Bypassing Authorization Schema
• [] Testing for Privilege Escalation
• [] Testing for Insecure Direct Object References

Session Management Testing

• [] Testing for Session Management Schema
• [] Testing for Cookies Attributes
• [] Testing for Session Fixation
• [] Testing for Exposed Session Variables
• [] Testing for Cross Site Request Forgery
• [] UaF Testing
• [] Testing for Logout Functionality
• [] Testing Session Timeout
• [] Testing for Session Puzzling
• [] Testing for Session Hijacking
• [] Input Validation Testing
• [] Testing for Reflected Cross Site Scripting
• [] Testing for Stored Cross Site Scripting
• [] Testing for HTTP Verb Tampering
• [] Testing for HTTP Parameter Pollution4.7.5.1 Testing for Oracle

Web Security Testing

• [] Testing PostgreSQL
• [] Testing for ORM Injection
• [] Testing for Client-side
• [] Testing for LDAP Injection
• [] Testing for XML Injection
• [] Testing for SSI Injection
• [] Testing for XPath Injection
• [] Testing for IMAP SMTP Injection
• [] Testing for Code Injection
• [] Testing for Local File Inclusion
• [] Testing for Remote File Inclusion
• [] Testing for Command Injection
• [] Testing for Format String Injection
• [] Testing for Incubated Vulnerability
• [] Testing for HTTP Splitting Smuggling
• [] Testing for HTTP Incoming Requests
• [] Testing for Host Header Injection
• [] Testing for Server-side Template Injection
• [] Testing for Server-Side Request Forgery
• [] Testing for Error Handling
• [] Testing for Improper Error Handling
• [] Testing for Stack Traces
• [] Testing for Weak Cryptography
• [] Testing for Weak Transport Layer Security
• [] Testing for Padding Oracle
• [] Testing for Sensitive Information Sent via Unencrypted Channels
• [] Testing for Weak Encryption

Business Logic Testing

• [] Test Business Logic Data Validation
• [] Test Ability to Forge Requests
• [] Test Integrity Checks
• [] Test for Process Timing
• [] Test Number of Times a Function Can Be Used Limits
• [] Testing for the Circumvention of Work Flows
• [] Test Defenses Against Application Misuse
• [] Test Upload of Unexpected File Types
• [] Test Upload of Malicious Files

Client-side Testing

• [] Testing for DOM-Based Cross Site Scripting
• [] Testing for JavaScript Execution
• [] Testing for HTML Injection
• [] Testing for Client-side URL Redirect
• [] Testing for CSS Injection
• [] Testing for Client-side Resource Manipulation
• [] Testing Cross Origin Resource Sharing
• [] Testing for Cross Site Flashing
• [] Testing for Clickjacking

Web Security Testing

• [] Testing WebSockets
• [] Testing Browser Storage
• [] Testing for Cross Site Script Inclusion
• [] API Testing

Reward

TBD...

Additional References

• Andriod Wallet Security Paper: andriod-wallet-security.pdf

• OWASP Application Security Verification Standard 4.0.3-en.pdf

• OWASP Web App Security Testing Guide

• Tools

• ZAP Attack Proxy

• Potential Resources For Incident Respons or related DAO's:

• Incident-Response_Initial-Prep.pdf

• IR-handbook.pdf

NOTES

• Keep a Security list of all bug fixes which could potentially comprimise the security of applications in the ecosystem. Maybe a list of all bugs and patches all in one display or location

RESOURCES

APP SOURCE CODE

• harmony chrome extension
• Harmony Chrome Extension Wallet v1.2.5 Latest Update init address list with Dat Penguin Club Contract address. Remove unnecessary isValidJson() check. This was not allowing HRC 721 tokens to be displayed properly.*
  • [https://github.com/harmony-one/chrome-extension-wallet/archive/refs/tags/1.2.5.tar.gz]
• Repo named in package.json line 9
• Harmony Chrome Extension Wallet v1.2.3: Password issue is fixed. You should be able to sign in/delegate/undelegate without any issue.
  • [https://github.com/harmony-one/chrome-extension-wallet/archive/refs/tags/1.2.5.tar.gz]
• *[https://github.com/harmony-one/chrome-extension-wallet/archive/refs/tags/v1.2.3.tar.gz]
• Harmony One Wallet v1.0.8 Pre-release:
  • Security: Tab response hijacking protection, Safe hostname detection, Private data is unreachable in page's javascript runtime (Derek)
  • Features: Displaying suggested human-readable method with input arguments when signing a data tx (Derek)
  • [https://github.com/harmony-one/chrome-extension-wallet/archive/refs/tags/v1.0.8.tar.gz]
• Harmony One Wallet v1.0.7: Remove the master password, roll back to 1.0.5, and fixed the potential vulnerability issue.
  • [https://github.com/harmony-one/chrome-extension-wallet/archive/refs/tags/v1.0.7.tar.gz]

[AgCaliva]

Hi people. Before anything can be done in a serious way, we need to take out all easy methods that can be used to hack wallets, before going in deep. Thats why i suggest removing the Copy To Clipboard option in all private key or key that can be used to import wallet, because if you copy to clipboard, some websites can get the content. Reference: https://stackoverflow.com/questions/6413036/get-current-clipboard-content https://caniuse.com/?search=clipboardData

Copy to clipboard, and i think taking screenshots are potential attack vectors. Before anything can be done those have to be mitigated.