(Security Risk) An interface to export private keys via code should never be exposed

[t4top]

The MinaPortal snap exposes the mina_exportPrivateKey interface, allowing the private key of a specified account to be exported. I believe private keys should never be exposed through an interface that can be triggered via code. Users should only be able to view their private keys by accessing the wallet settings. zkApps should never request users for their private keys. While I see a warning window, as shown in the attached screenshot, displayed, a malicious zkApp could exploit this interface to deceive uninformed users into clicking the Approve button.

I suggest removing the mina_exportPrivateKey interface entirely or, at the very least, implementing multiple levels of warning dialogs to clearly caution users that the trigger originated from the zkApp and that the app may be malicious.

[SotaTek-TungNguyen2]

@t4top We wanted to implement a password prompt, but currently, that's not possible. So now the snap requests the user’s authorization before proceeding. We are now displaying the request origin to make sure the request comes from a safe origin. We will update this when the password functionality is available in snap.