Misleading Signing Request Message (BRA-Q322-7) #24816
Labels
feature/web3/wallet
Integrating Ethereum+ wallet support
OS/Desktop
priority/P3
The next thing for us to work on. It'll ride the trains.
QA Pass-Linux
QA Pass-macOS
QA Pass-Win64
QA/Yes
release-notes/include
security
Milestone
Description
Brave Wallet is a non-custodial wallet, and only its users have sole control of their private keys. With the help of Brave Wallet, users can conveniently perform multiple cryptographic operations, such as sign transactions or arbitrary messages. Such signed messages could be used for a variety of use cases including, but not limited to:
• authenticate users
• sign off-chain messages for on-chain protocols, etc.
Great care should be taken to show a user exactly what the website requires to sign, and warn in the case of any suspicious scenarios.
In the sign-request window, the Brave Wallet renders all input Unicode characters. This makes the following phishing scenarios possible:
• using new line characters to hide the actual payload in the non visible area of the sign request dialog (no scrollbar is shown to the user until the forcible scrolls in the right area of the window)
• using Right-To-Left character to change direction of the rendered text
Steps to Reproduce
window.ethereum.request({"method":"personal_sign","params":["", "Main Message\nEvil payload is below \n\n\n\n\n\n\n\n\n\n\n\nMy Evil payload"],"id":1})
window.ethereum.request({"method":"personal_sign","params":["", "Sign into \u202E EVIL"],"id":1})
Actual result:
Dialog presented to the user. It contains text "Sign into LIVE"
Expected result:
Show to the user a warning message about non-ASCII characters in the message requested for signing. Alternatively, Hex-encode non-visible characters, so they are always visible to the user. Always show a scrollbar indicating that not a whole message is currently visible to the user.
Additionally, it is recommended to show a warning message in case of the presence of any Unicode characters, which changes the direction of the text.
Reproduces how often:
Easily
The text was updated successfully, but these errors were encountered: