js-libs
js-libs copied to clipboard
openethereum
Password shown in plain text in Developer Tools Console when entered incorrectly
from @ltfschoen
When I'm prompted to enter my password to send a transaction but I enter the incorrect password (i.e. myincorrectpassword), when I click 'Send' it displays my password in plain text in the Developer Tools Console error message as shown below:
index.js:1452 signer_confirmRequest(["0x2",{},"myincorrectpassword"]): -32021: Account password is invalid or account does not exist.
Happens with parity_exportAccount as well:
index.js:1446 parity_exportAccount(["0x57297efbd2ac9eaebc328309739975bdcb192185","mypassword"]): -32023: Could not export account.
I just built a production binary of Fether 0.4.0 where we are using the foundation network by default, and since we've allowed users to access to "Dev Tools > Console" in the production version, I had that open just to see what was happening.
I accidentally entered the wrong password when importing one of the accounts that I have on foundation, and it exposed my incorrect "myincorrectpassword" password in plain text in the console as shown below:
parity_newAccountFromWallet(["{\"address\":\"1234... ... ,\"name\":\"abcd\",\"version\":3}","myincorrectpassword"]): -32023: Could not create account.
Then later when I tried to send a transaction it showed my incorrect password again in plain text in the console as shown below:
personal_signTransaction([{"from":"0x003...","gasPrice":"0xee6b2800","to":"0x004...","value":"0x16345785d8a0000","gas":"0x5208"},
"myincorrectpassword"]): -32021: Account password is invalid or account does not exist.
I think we need to add both personal_signTransaction and parity_newAccountFromWallet to the dangerous methods, since whilst the incorrect password may not be their actual password, it may be very similar to their password (which makes it easier to brute force) or it may be one of their other sensitive passwords.
