juston-ios icon indicating copy to clipboard operation
juston-ios copied to clipboard

Published 20 hours ago verified publisher icon labraburn

Insecure wallet passphrase backup

Open zmxv opened this issue 2 years ago • 0 comments

Bug Type

Security

Reproduction steps

  1. Click the triple dot button to bring up the pop up menu
  2. Click "Backup keys" and enter the six digit passcode

Actual result

Passphrase is automatically copied to the clipboard.

IMG_8456

Expected result

Automatically copying passphrase to the clipboard is insecure because if the user switches to another app, the app can read the plain text passphrase without user's consent. And Apple's universal clipboard feature makes it possible for another device to read the sensitive data.

By default, the passphrase should be displayed on the screen. Copying it to the clipboard should be an option.

Suggested Severity

High

Device

Desktop (please complete the following information):

  • OS: [e.g. iOS]
  • Browser [e.g. chrome, safari]
  • Version [e.g. 22]

Smartphone (please complete the following information):

  • Device: iPhone 13 Pro
  • OS: iOS 15.6.1
  • Browser: Mobile Safari
  • Version: Juston 1.3.2

Additional Context

No response

zmxv avatar Sep 16 '22 16:09 zmxv