Page MenuHomePhabricator

User-facing string in GUI from untrusted source
Open, HighPublic


Hi guys, I also posted this on github here:
And also alerted core to this here:

The issue is this code:

Which ends up generating a user-facing string in a message box in Qt which comes from an untrusted source (read: a server's error response).

This is a potential phishing attack surface.

It's a tiny attack surface and very unlikely due to the way Payment Requests work -- just probably not the best idea to show untrusted strings in the UI.

Thanks so much,


Event Timeline

CCulianu added a project: Restricted Project.
jasonbcox triaged this task as High priority.
jasonbcox added a subscriber: jasonbcox.

Thanks for letting us know.