search

phantom / blocklist

146 stars 249 forks source link

Threat actors are temporarily redirecting phishing domains to phantom.app/download to avoid detection #784

Open 0xgumby opened 9 months ago

0xgumby commented 9 months ago

When submitting URLs to the blocklist, I noticed that some would temporarily get blocked from the extension and then become unblocked. Upon scanning them, quite a few have redirected to the legitimate Phantom download page.

There's a possibility they are using something like https://github.com/oftn-oswg/zerodrop in order to redirect when certain conditions are met.

https://urlscan.io/search/#phantom.app

image

woodydeck commented 1 week ago

I think they are doing worse than this. I figured out an exploit to subvert the filter calls. It would need some work to return valid data to Phantom as it doesn't seem to be signed.

You can use various methods to block traffic to certain domains at the browser level in a few ways. In #1421 I pointed out part of the solution to add potentially malicious and unneeded Phantom calls locally to the hosts file. To do this in the browser a zero day is not needed, but I'm sure there are techniques I didn't think of to filter traffic without user interaction. That's the easy part.

You can suppress the message in Phantom that warns you about 'malicious' sites, because it doesn't check if the reply is actually from Blowfish or their blocklist. This is amateur hour for wallets. I'm actually quite shocked how bad security is in Phantom and the arrogant approach.

I no longer report bugs for bounties. I'm not going to share the details to any company, because they never pay. Things like https://phantom.app/bug-bounty are useless. These arrogant projects always say it's a lower threat level to not pay you, and if you disclose it because they don't grasp the full gravity, then they say they won't pay you because you disclosed it.

I haven't gone deep into implementing all my ideas, because honestly I don't care to use Solana anymore with this comical level of both arrogance and the desire to censor at the expense of security. If someone wants to explore, this is the gist of how to do it.

So this is a half-disclosure. We'll see if they get it, but thinking you can outsource user security to a third party like Blowfish is uh, a really terrible idea. I'm actually glad I stumbled upon this issue. I'm just a random guy making a dumb project for fun. I care zero about money, only the defense of free speech and expression.