Skip to content
This repository has been archived by the owner on Aug 22, 2022. It is now read-only.

A malicious site may embed a page in an iframe and modify transactions before submitting to an external wallet #1

Open
moodysalem opened this issue Jul 15, 2019 · 1 comment
Open

A malicious site may embed a page in an iframe and modify transactions before submitting to an external wallet #1

moodysalem opened this issue Jul 15, 2019 · 1 comment

Comments

@moodysalem
Copy link
Member

The severity of this issue is low/medium.

Repro steps:

  1. Malicious site embeds target site, e.g. mycrypto
  2. Target site includes this script
  3. Target site submits transaction
  4. Malicious site manipulates transaction and submits to window.web3 provider
  5. window.web3 provider shows confirmation for different transaction than was initiated by target site
  6. user does not validate the transaction details match what was initiated by dapp

The easy solution to this is to only allow trusted iframe providers to embed your page in an iframe
@moodysalem moodysalem changed the title A malicious site may embed a page in an iframe and modify transactions and submit them to an external wallet A malicious site may embed a page in an iframe and modify transactions before submitting to an external wallet Jul 15, 2019
This was referenced Jul 16, 2019
Closed
Closed
@moodysalem
Copy link
Member Author

Another solution is to pass a target origin to the provider, limiting which dapps are supported by this provider automatically.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@moodysalem