Hello community,
We noticed some security vulnerabilities in IC agents last year and promptly reported them. Note that we did not systematically review these agents. Unfortunately, some of the reported issues have not been addressed. The following agents are affected:
- Ic-py
- IC certificates are not verified: The verification of certificates from a request_status call is not performed in request_status_raw and request_status_raw_async. This could allow a single malicious node to modify responses to update calls.
- We tried to contact them through several channels (including Github) and waited for a reasonable amount of time for the issues to be addressed (more than half a year), but we did not hear back and it seems that ic-py is currently unmaintained.
- Ic-c
- Outdated crates: The ic-c Rust wrapper, Ic-agent-wrapper, utilizes an outdated version of ic-agent (Rust agent version 0.24.1) that lacks important security features like replica-signed queries.
- According to the Zondax team, they plan to update the crates but the project is not actively maintained at the moment. However, it can still serve as a reference implementation for prototyping. If someone intends to use it in production, they should contact the Zondax team directly.
Given the security implications of using unmaintained software, we strongly recommend that developers evaluate alternative solutions or take necessary precautions before relying on these agents.
Please share any thoughts, concerns, or potential solutions you may have. We appreciate the collaboration of the community in keeping the IC environment secure.
Eduard
DFINITY product security team