User-facing string in GUI from untrusted source
Open, HighPublic
Actions

Assigned To

Authored By

	CCulianu
	Jun 5 2019, 18:01

Description

Hi guys, I also posted this on github here: https://github.com/Bitcoin-ABC/bitcoin-abc/issues/332
And also alerted core to this here: https://github.com/bitcoin/bitcoin/issues/16154

The issue is this code:

https://github.com/Bitcoin-ABC/bitcoin-abc/blob/dc0adb7b18f854a6b076824e4edb8b02ce62e5bd/src/qt/paymentserver.cpp#L759

Which ends up generating a user-facing string in a message box in Qt which comes from an untrusted source (read: a server's error response).

This is a potential phishing attack surface.

It's a tiny attack surface and very unlikely due to the way Payment Requests work -- just probably not the best idea to show untrusted strings in the UI.

Thanks so much,

-Calin

Event Timeline

CCulianu created this task.Jun 5 2019, 18:01

CCulianu added a project: Restricted Project.

Thanks for letting us know.

Klakurka moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.May 13 2022, 06:18

Unknown Object (User) added a subscriber: Unknown Object (User).Mar 1 2023, 16:59

User-facing string in GUI from untrusted sourceOpen, HighPublicActions

Description

Event Timeline

User-facing string in GUI from untrusted source
Open, HighPublic
Actions