Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Crypto Wallet/Greaselion should not be allowed to run on Private/Tor windows by default #13506

Closed
srirambv opened this issue Jan 12, 2021 · 3 comments · Fixed by brave/brave-core#7579
Closed

[Security] Crypto Wallet/Greaselion should not be allowed to run on Private/Tor windows by default #13506

srirambv opened this issue Jan 12, 2021 · 3 comments · Fixed by brave/brave-core#7579
Assignees
@darkdh
Labels
feature/ethereum-remote-client feature/extensions OS/Desktop priority/P1 A very extremely bad problem. We might push a hotfix for it. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release/blocking release-notes/include security
Milestone
1.20.x - Release

Comments

@srirambv
Copy link
Contributor

srirambv commented Jan 12, 2021
edited
Loading

Description

Greaselion shouldn't have an option for Allow in Private under extension details since Rewards doesn't work on Private / Tor / Guest windows. Similarly Crypto Wallet should not be allowed to run in Private / Tor / Guest as well

Steps to Reproduce

Greaselion

  1. Launch nightly with --show-component-extension-options
  2. Open brave://extensions and go to details for any greaselion
  3. Allow in Private option is available and enabled by default

Crypto Wallet

  1. Launch nightly with --show-component-extension-options
  2. Open brave://wallet and install component
  3. Go to brave://extensions and go to details for Crypto Wallet Component
  4. Allow in Private option is available and enabled by default

Actual result:

image

Expected result:

Greaselion shouldn't have an option for Allow in private since Rewards isn't going to work on Private / Tor / Guest windows. Crypto Wallet shouldn't have Allow in private mode enabled by default

Reproduces how often:

Easy

Brave version (brave://version info)

Brave 1.20.73 Chromium: 88.0.4324.79 (Official Build) nightly (64-bit)
Revision bd1e9353659b2491dac971226a973ca3b5684a14-refs/branch-heads/4324@{#1520}
OS Linux

Version/Channel Information:

  • Can you reproduce this issue with the current release? Yes
  • Can you reproduce this issue with the beta channel? Yes
  • Can you reproduce this issue with the nightly channel? Yes

Other Additional Information:

  • Does the issue resolve itself when disabling Brave Shields? NA
  • Does the issue resolve itself when disabling Brave Rewards? NA
  • Is the issue reproducible on the latest version of Chrome? NA

Miscellaneous Information:
@srirambv srirambv changed the title Greaselion should not be allowed to run on Private/Tor windows by default Crypto Wallet/Greaselion should not be allowed to run on Private/Tor windows by default Jan 12, 2021
@diracdeltas
Copy link
Member

not sure if #13279 is related, but would be good to fix that issue as well

@darkdh
Copy link
Member

darkdh commented Jan 12, 2021

@diracdeltas #13279 will also be fixed

@darkdh darkdh mentioned this issue Jan 13, 2021
Merged
23 tasks
@srirambv srirambv mentioned this issue Jan 13, 2021
Open
@darkdh darkdh added this to the 1.20.x - Nightly milestone Jan 13, 2021
@darkdh darkdh mentioned this issue Jan 14, 2021
Closed
4 tasks
@LaurenWags LaurenWags added the feature/web3/wallet Integrating Ethereum+ wallet support label Feb 1, 2021
@LaurenWags LaurenWags changed the title Crypto Wallet/Greaselion should not be allowed to run on Private/Tor windows by default [Security] Crypto Wallet/Greaselion should not be allowed to run on Private/Tor windows by default Feb 1, 2021
@srirambv
Copy link
Contributor Author

srirambv commented Feb 5, 2021

Verification passed on

Brave 1.20.100 Chromium: 88.0.4324.146 (Official Build) (64-bit)
Revision 406dc88511162d6598242f2c709be1414a042fb0-refs/branch-heads/4324@{#2088}
OS Linux
  • Verified Greaselion extensions don't have a Allow in private option
    image
  • Verified CryptoWallet extension has Allow in private disabled by default
    image
  • Verified enabling Allow in private works as expected
    image

Verification passed on

Brave 1.20.100 Chromium: 88.0.4324.146 (Official Build) (64-bit)
Revision 406dc88511162d6598242f2c709be1414a042fb0-refs/branch-heads/4324@{#2088}
OS Windows 10 OS Version 2009 (Build 19042.746)

  • Verified Greaselion extensions don't have a Allow in private option
    image

  • Verified CryptoWallet extension has Allow in private disabled by default
    image

  • Verified enabling Allow in private works as expected
    image

Verification passed on

Brave 1.20.100 Chromium: 88.0.4324.146 (Official Build) (x86_64)
Revision 406dc88511162d6598242f2c709be1414a042fb0-refs/branch-heads/4324@{#2088}
OS macOS Version 10.15.7 (Build 19H114)

  • Verified Greaselion extensions don't have a Allow in private option
    image

  • Verified CryptoWallet extension has Allow in private disabled by default
    image

  • Verified enabling Allow in private works as expected
    image

@LaurenWags LaurenWags mentioned this issue Feb 8, 2021
Closed
@srirambv srirambv added feature/ethereum-remote-client and removed feature/web3/wallet Integrating Ethereum+ wallet support labels Sep 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@darkdh darkdh

Labels
feature/ethereum-remote-client feature/extensions OS/Desktop priority/P1 A very extremely bad problem. We might push a hotfix for it. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release/blocking release-notes/include security
Projects
None yet
Milestone
1.20.x - Release
Development

Successfully merging a pull request may close this issue.

Handle "Allow in private" for Crypto Wallet and Greaselion brave/brave-core
4 participants
@diracdeltas @darkdh @srirambv @LaurenWags