AgentJS is storing information in localStorage, which makes it possible for the page to reload and still be authenticated. I am not aware of its inner workings, but it doesn’t seem very safe to do that. Chome Extensions XSS attacks; Supply chain attacks; all of these can inject javascript, get access to localStorage and then call all the canister methods they want. Correct me if I am wrong.
If you are like “Ohh I don’t use chrome extensions like that”. Let me tell you, pretty much ALL of my extensions right now have permission to inject javascript in any site: Metamask, Plug, Grammarly, React Developer Tools, Redux Tools.
So can I opt-out of localStorage and just keep my keys in locally scoped variables so injected javascript can’t get to them?
Now. I know that won’t solve everything. Watch a minute from that video from the start time I have set. You won’t regret it
So it seems, just hiding keys won’t be really successful unless we use these under-construction Javascript inventions, which Metamask also uses.
Otherwise injected javascript will just rewrite Array
and String
function or even fetch
. Which could result in taking user keys. Or it can be replacing canister call parameters during fetch.
Without taking precautions and ‘hardening’ our dapps. I suppose for that to really blow in our faces, a hacker would have to specifically target a dapp. The dapp needs to be worthwhile their time and have a big honeypot. Then they would go through significant trouble to… for example, inject malicious code in a js package, required by another js package of a very popular Chrome extension or the dapp itself.
Is there another way to set up your dapp, which will shield contracts and require a hardware signature each time user makes a certain update call?
I can’t find anything related in this forum. It seems that this kind of thing will affect all dapps