[BUG] New passwords can be set repeatedly without verification of old passwords

[TheFreeLee]

trafficstars

Is there an existing issue for this?

• [X] I have searched the existing issues

Describe the bug

After creating the wallet, you can set a new password without the old password every time you open chrome-extension://iokeahhehimjnekafflcihljlcjccdbe/welcome.html. This is a serious vulnerability. When an existing wallet can be unlocked with a new password, Transferring assets is very serious

Screenshots [optional]

No response

Steps To Reproduce

1.open chrome-extension://iokeahhehimjnekafflcihljlcjccdbe/welcome.html 2.set new password 3.fuck...

Expected behavior

1.open chrome-extension://iokeahhehimjnekafflcihljlcjccdbe/welcome.html 2.not allowed to set password

Alby information

3.3.0_0

Device information

No response

Additional context

No response

Are you working on this?

None

[reneaaron]

Thanks for your report! I agree that this could be improved UX-wise (to have a kind of a reset function to start over and not allow to go through the welcome flow again), however since all of your connection details are encrypted with the password you won't be able to access wallets which have been encrypted with your old password.