nunchuk-io / nunchuk-android

Security and convenience. Get both with Nunchuk Bitcoin wallet.
https://nunchuk.io
GNU General Public License v3.0
49 stars 4 forks source link

Air-gapped wallet signing - privacy leak #30

Open Marc-Gee opened 1 year ago

Marc-Gee commented 1 year ago

Hi, thanks for your work on this collaborative wallet ! A private key privacy issue that I found today when testing it with an airgapped key was very scary however.

Issue: The signing workflow asked me to show my Key's QR code, for signing, and without realizing, I showed the phone camera my Private Key QR. (Testnet Phew)

Suggestion: the workflow label should have said "Import PSBT" when the required key was already known/defined as airgapped! additionally, It should not have offered the (1st) option of "Import signature", but rather only "Export Transaction [PSBT]"

Background: I was trying to sign my 1st Txn via a 2-of 3 collaborative wallet with a remote friend and when it was my turn to sign, the action label said "Sign". I selected that, and then I chose 'Sign with QR'. I then showed the phone camera my private key QR (Testnet phew)! in my next step! (I didnt realize that I had an internet-connected phone in my hand), when it asked for a signature.

I (and my friend) suggest that I should instead have been prompted with only 'Import the psbt'. To stay private, an airgapped wallet would then handle the signing of that PSBT internally, inside its airgap. and then once signed inside there, the PSBT will be uploaded back to Nunchuck.

Thanks again for an otherwise excellent collab multi-sig !

MarcG

Screenshot_20230817-194013~3

vehicles4real commented 1 year ago

Have you lost anything?

Marc-Gee commented 1 year ago

Nope, thankfully we were only testing on Testnet! Marc.

From: Daniel Walker @.> Sent: Saturday, August 19, 2023 11:20 AM To: nunchuk-io/nunchuk-android @.> Cc: Marc G @.>; Author @.> Subject: Re: [nunchuk-io/nunchuk-android] Air-gapped wallet signing - privacy leak (Issue #30)

Have you lost anything?

- Reply to this email directly, view it on GitHubhttps://github.com/nunchuk-io/nunchuk-android/issues/30#issuecomment-1685078803, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AVYRGJN4ZSG5R52FR4E6DVLXWD7VXANCNFSM6AAAAAA3U5EXEI. You are receiving this because you authored the thread.Message ID: @.**@.>>