Page MenuHomePhabricator

User-facing string in GUI from untrusted source
Open, HighPublic

Description

Hi guys, I also posted this on github here: https://github.com/Bitcoin-ABC/bitcoin-abc/issues/332
And also alerted core to this here: https://github.com/bitcoin/bitcoin/issues/16154

The issue is this code:

https://github.com/Bitcoin-ABC/bitcoin-abc/blob/dc0adb7b18f854a6b076824e4edb8b02ce62e5bd/src/qt/paymentserver.cpp#L759

Which ends up generating a user-facing string in a message box in Qt which comes from an untrusted source (read: a server's error response).

This is a potential phishing attack surface.

It's a tiny attack surface and very unlikely due to the way Payment Requests work -- just probably not the best idea to show untrusted strings in the UI.

Thanks so much,

-Calin

Event Timeline

CCulianu created this task.Jun 5 2019, 18:01
CCulianu added a project: Restricted Project.
jasonbcox claimed this task.Jun 5 2019, 22:21
jasonbcox triaged this task as High priority.
jasonbcox added a subscriber: jasonbcox.

Thanks for letting us know.