unencrypted seed phrases in leveldb file #16
Comments
|
Thank you for reaching out!
Indeed there was a problem with Windows.
This behavior of storing data is defined by Chromium and it is pretty hard to change. Also if we try to use another storage, we still have to use password to encrypt data and password to decrypt. So why asking the user a password to decrypt mnemonic and login if we could ask mnemonic itself. |
|
Good evening and thank you for the fix and reply, I've tested the version
before starting the new version of the console. After logging out, the seed phrase is still in the In addition I would say that your approach in fixing the issue just slightly mitigates the risks of the seed phrase being stolen. As long as the user logged into console, the seed phrase is exposed and available through any process, which runs under the current user. I would prefer a slightly better approach, you could just encrypt the seed phrase on the fly as soon as the user has logged in, the encription credentials could be stored in memory during the working session, till the user does logout. For transaction signing process you can decrypt/encrypt the seed phrase on the fly. Hope that my reply will help. |
Tested version: minter-console-0.6.2-portable-x64.exe
All seed phrases, which have been submitted in the login form are stored unencrypted in the following plain text file: <windows_drive>\Users<username>\AppData\Roaming\minter-console-web\Local Storage\leveldb\000003
Seed phrases are accumulated in this file and moreover are not being cleared after logging out.
This is a very critical vulnerability, which confuse users, as they think, the solution from minter team is secure.
The text was updated successfully, but these errors were encountered: