![Technology can detect vulnerability in the blockchain wallet and fix it says Checkpoint Technology can detect vulnerability in the blockchain wallet and fix it says Checkpoint](https://varindia.com/public/index.php/storage/news/uploads/2018/02/628f2756ac9e6.jpg)
Blockchain technology and decentralized applications (dAPPs) provide users with a number of advantages. For example, users can utilize the service without creating an account and it can be implemented as a single-page application written in JavaScript. Ever Surf is a cross-platform messenger, a blockchain browser, and a crypto wallet for Everscale blockchain. It is written in React Native and is available in Google Play Market and Apple Store.
There is also a web version of Ever Surf that runs on any platform. This type of application does not require communication with a centralized infrastructure, such as a web server, and it can interact with the blockchain directly or by using a browser extension like Metamask. In this case, the user is identified using keys that are stored only on a local machine inside a browser extension or a web wallet. If a decentralized application or a wallet stores sensitive data locally, it must ensure this data is reliably protected. In most cases, dAPPs run inside the browser and therefore may be vulnerable to attacks such as XSS.
This research describes the vulnerability found in the web version of Ever Surf, a wallet for the Everscale blockchain (formerly Free TON). By exploiting the vulnerability, it’s possible to decrypt the private keys and seed phrases that are stored in the browser’s local storage. In other words, attackers could gain full control over the victim's wallets. The Checkpoint Research (CPR) disclosed the vulnerability to Ever Surf developers who then released a desktop version that mitigates this vulnerability.
The web version is now declared deprecated and should only be used for development purposes. Seed phrases from accounts that store real value in crypto should not be used in the web version of Ever Surf. After responsible disclosure, Check Point Research collaborated with the Everscale teams, which acknowledged the vulnerability and released a new desktop version to replace the vulnerable web version. This means the keys required to sign transactions are only stored on the user’s device.
Operations with the blockchain are performed entirely on the client’s side. Therefore, like other non-custodial wallets, it doesn’t have a registration using login names and passwords. When users run the application for the first time, it suggests creating a new wallet. Surf generates a seed phrase and a pair of the public and the private keys. In addition, the user is prompted to create a 6-digit PIN code.
Therefore, the browser’s local storage cannot be considered secure enough. Websites that require registration, such as well-known social networks, may not rely only on the data stored in cookies or local storage. They may also check the web browser and the user’s IP address, and require additional user verification in case of suspicious activities. This is impossible with Surf because the data required to control a user’s wallet is stored entirely on their computer.
The only protection for their funds is strong encryption. Unfortunately, Surf is not open-source. Therefore, Check Point researchers had to analyze the minified JavaScript application bundle to understand the logic.
Dr. Deepak Kumar Sahu, President & CEO, VARINDIA
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.