Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[hackerone] wallet ethereum provider binding security issue #30204

Closed
diracdeltas opened this issue May 8, 2023 · 5 comments · Fixed by brave/brave-core#18411
Closed

[hackerone] wallet ethereum provider binding security issue #30204

diracdeltas opened this issue May 8, 2023 · 5 comments · Fixed by brave/brave-core#18411
Assignees
@darkdh
Labels
feature/web3/wallet/core feature/web3/wallet Integrating Ethereum+ wallet support OS/Android Fixes related to Android browser functionality OS/Desktop priority/P1 A very extremely bad problem. We might push a hotfix for it. QA Pass - Android ARM QA Pass-Win64 QA/Yes release-notes/include sec-high security
Milestone
1.51.x - Release #2

Comments

@diracdeltas
Copy link
Member

https://hackerone.com/reports/1977252

This is a p1 security issue so QA should DM me or anthony for steps to repro.
@diracdeltas diracdeltas added security sec-high priority/P1 A very extremely bad problem. We might push a hotfix for it. QA/Yes feature/web3/wallet Integrating Ethereum+ wallet support OS/Android Fixes related to Android browser functionality OS/Desktop labels May 8, 2023
@darkdh darkdh mentioned this issue May 8, 2023
Merged
25 tasks
This was referenced May 9, 2023
Merged
Merged
@kjozwiak
Copy link
Member

kjozwiak commented May 9, 2023

The above requires 1.51.114 or higher for 1.51.x verification 👍

@srirambv
Copy link
Contributor

srirambv commented May 9, 2023

Verification passed on Oppo Reno 5 with Android 13 running 1.51.114 x64 build. Verification notes can be found here

@srirambv
Copy link
Contributor

srirambv commented May 9, 2023

Verification passed on

Brave 1.51.114 Chromium: 113.0.5672.92 (Official Build) (64-bit)
Revision b6f521170062a1fa8a82c33fb223b06fec566da1-refs/branch-heads/5672_63@{#10}
OS Windows 11 Version 22H2 (Build 22621.1635)
  • Verification notes can be found here

@LaurenWags LaurenWags mentioned this issue May 9, 2023
Closed
@kjozwiak kjozwiak mentioned this issue May 9, 2023
Closed
@Bushido1
Copy link

https://hackerone.com/reports/1977252

Only hackers and companies can access this site :(

@diracdeltas
Copy link
Member Author

Hackerone reports are kept confidential until the release has been out for a month or so to reduce the exploitability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@darkdh darkdh

Labels
feature/web3/wallet/core feature/web3/wallet Integrating Ethereum+ wallet support OS/Android Fixes related to Android browser functionality OS/Desktop priority/P1 A very extremely bad problem. We might push a hotfix for it. QA Pass - Android ARM QA Pass-Win64 QA/Yes release-notes/include sec-high security
Projects
None yet
Milestone
1.51.x - Release #2
Development

Successfully merging a pull request may close this issue.

Wrap window.ethereum._metamask in gin::Wrappable brave/brave-core
6 participants
@diracdeltas @kjozwiak @darkdh @Bushido1 @srirambv @brave-builds