Trail of Bits
Audit Open Original ↗

Kraken Wallet In-App Browser

Type

Security review

Client

Payward, Inc

Date

2024-11

Domain

AppSec

Effort

4 wks

Section

Technology Product Reviews

Trail of Bits's security review of Payward, Inc (Nov 2024) identified 15 issues: 2 high, 5 medium, 4 low, and 4 informational.

Findings · 15

  1. 1 Dapps could impersonate and use permissions granted to other dapps High
  2. 2 Websites may observe the injected secret Low
  3. 3 Signature scheme does not prevent message tampering Low
  4. 4 A malicious page can overwhelm the wallet with WebView messages Low
  5. 5 HTTPS and Unicode URL filtering not enforced for HTML links Medium
  6. 6 WebView URI schemes permit HTTP URLs Informational
  7. 7 Arguments are not validated for personal_sign requests Medium
  8. 8 Missing certificate validation in electrum-client Medium
  9. 9 Insufficient test coverage Informational
  10. 10 Risk of Realm query injection Informational
  11. 11 Unreadable signing text Medium
  12. 12 Transaction confirmation screen may be suddenly switched Medium
  13. 13 TLS errors are reported as “Url not found” Informational
  14. 14 Disconnected dapps can still execute certain requests Low
  15. 15 Queued in-app browser requests may use permissions from other pages High

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related