In this post, we share the results of the audit, detailing some of the key findings and the changes made to remedy them.
Initial Audit Findings
The results of the review indicated a handful of security improvements to be made. Mostly notably, one abuse vector was found whereby the extension could be embedded into any website. This behavior should be prohibited to prevent sophisticated clickjacking attacks.
The Hiro team swiftly patched this by enabling the frame-ancestors content security policy directive. A new version was published, and the findings were disclosed in a forum post, requesting that users upgrade.
As this vulnerability was found during the development of the Stacks Wallet, and the wallet had only been released as a developer preview, we don’t believe it was ever exploited.
Other items from the initial report we’d like to highlight are:
Key derivation is an important mechanism needed to secure encrypted keys against brute force attacks. Rather than using the password directly, it is used to derive an encryption key. This process is, by design, computationally expensive (slow).
While PBKDF2 is recommended by OWASP, a newer key derivation library, Argon2, has properties that makes it even more resistant to brute force attacks. We implemented this library in our key derivation logic, resolving suggestion. Learn more about Argon2 →
NPM packages versions by default are described with a caret, such as ^3.11.8. This tells NPM to pull the latest patch version, according to semver, when installing dependencies. It’s possible a bug may be released in one of these versions. For this reason, Least Authority recommended that npm packages be pinned to specific versions, without the caret. This is done by using the --exact flag when installing the packing. To enforce this, a CI task was added to validate the project’s package.json for exact versions. Check out the Github Action →
On April 29th 2021, after addressing the major concerns described in the initial findings, as well as a concluding sign off from the Least Authority team, a final report was delivered. We then felt confident in making the Stacks Wallet live to the public on the Firefox and Chrome stores opening the door for our big release.