ZecWallet

Findings · 26

1. 1 Mobile wallet parses responses for requests it never made Low
2. 2 Mobile wallet parses unencrypted messages High
3. 3 Mobile wallet does not verify intended-user presence High
4. 4 Sensitive mobile settings are stored unsecurely Medium
5. 5 Android best practices: cleartext trafic Informational
6. 6 Transaction history is not encrypted Medium
7. 7 Lack of string validation during UI operations Medium
8. 8 Improper numerical types used for Zcash currency Low
9. 9 Insuficient separation of API operations from UI operations Informational
10. 10 RPC password stored in plain text in QTSettings object Medium
11. 11 Wallet is not encrypted on the filesystem Medium
12. 12 Insuficient random number generator Medium
13. 13 Local network connections use Basic Authentication Low
14. 14 Error messages from remote JSON RPC interfaces are relected to users Medium
15. 15 Lack of adequate testing framework Low
16. 16 Authenticated clients can cause an access violation in desktop wallet Low
17. 17 Wormhole idle timeout too long Low
18. 18 Wormhole continues parsing input ater emitting an error Low
19. 19 Weak TLS ciphers supported by wormhole Medium
20. 20 Wormhole server supports TLS 1.0 and 1.1 Medium
21. 21 Failure to use platform encryption Medium
22. 22 Sensitive data is not promptly cleared from memory Low
23. 23 Best practice: use two-factor authentication Low
24. 24 Lack of HTTP caching headers on the wormhole server Low
25. 25 Insuficient protection of tokens during transit Low
26. 26 Centralized point of failure for mobile device sending transactions Medium

Findings extracted from the published report PDF. See the full report below for details and remediation.