Misleading Signing Request Message (BRA-Q322-7)

[josheleonard]

Description

Brave Wallet is a non-custodial wallet, and only its users have sole control of their private keys. With the help of Brave Wallet, users can conveniently perform multiple cryptographic operations, such as sign transactions or arbitrary messages. Such signed messages could be used for a variety of use cases including, but not limited to:
• authenticate users
• sign off-chain messages for on-chain protocols, etc.

Great care should be taken to show a user exactly what the website requires to sign, and warn in the case of any suspicious scenarios.

In the sign-request window, the Brave Wallet renders all input Unicode characters. This makes the following phishing scenarios possible:
• using new line characters to hide the actual payload in the non visible area of the sign request dialog (no scrollbar is shown to the user until the forcible scrolls in the right area of the window)
• using Right-To-Left character to change direction of the rendered text

Steps to Reproduce

1. Unlock the MacOS version of the Brave Wallet and navigate to any connected website
2. Open the developer console and execute the following JavaScript code:
   window.ethereum.request({"method":"personal_sign","params":["", "Main Message\nEvil payload is below \n\n\n\n\n\n\n\n\n\n\n\nMy Evil payload"],"id":1})
3. Note that should be changed to your account address
4. Verify a dialog presented to the user
5. Click Cancel and execute the following JavaScript code:
   window.ethereum.request({"method":"personal_sign","params":["", "Sign into \u202E EVIL"],"id":1})
6. Verify a dialog presented to the user. It contains text "Sign into LIVE"

Actual result:

Dialog presented to the user. It contains text "Sign into LIVE"

Expected result:

Show to the user a warning message about non-ASCII characters in the message requested for signing. Alternatively, Hex-encode non-visible characters, so they are always visible to the user. Always show a scrollbar indicating that not a whole message is currently visible to the user.
Additionally, it is recommended to show a warning message in case of the presence of any Unicode characters, which changes the direction of the text.

Reproduces how often:

Easily

[srirambv]

Verification passed on

Brave	1.45.95 Chromium: 106.0.5249.103 (Official Build) beta (64-bit)
Revision	182570408a1f25ab2731ef5f283b918df9b9f956-refs/branch-heads/5249_91@{#6}
OS	Linux

• Verified steps from issue description and brave/brave-core#14686
• Verified when non-ASCII code is passed in Sign transaction, a warning message is show
• Verified clicking on View message in ASCII encoding shows the ASCII code in message
• Verified clicking on View original message shows the encoded message

24816.mp4

---

Verification passed on

Brave	1.45.95 Chromium: 106.0.5249.103 (Official Build) beta (64-bit)
Revision	182570408a1f25ab2731ef5f283b918df9b9f956-refs/branch-heads/5249_91@{#6}
OS	Windows 11 Version 21H2 (Build 22000.978)

• Verified steps from issue description and brave/brave-core#14686
• Verified when non-ASCII code is passed in Sign transaction, a warning message is show
• Verified clicking on View message in ASCII encoding shows the ASCII code in message
• Verified clicking on View original message shows the encoded message

24861.mp4

---

Verification passed on

Brave	1.45.95 Chromium: 106.0.5249.103 (Official Build) beta (arm64)
Revision	182570408a1f25ab2731ef5f283b918df9b9f956-refs/branch-heads/5249_91@{#6}
OS	macOS Version 12.4 (Build 21F79)

• Verified steps from issue description and brave/brave-core#14686
• Verified when non-ASCII code is passed in Sign transaction, a warning message is show
• Verified clicking on View message in ASCII encoding shows the ASCII code in message
• Verified clicking on View original message shows the encoded message

24816.mov