Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Desktop and Mobile applications does not validate data coming from online services #5140

Closed
ManuGowda opened this issue Jul 3, 2023 · 0 comments · Fixed by #5175
Closed

Desktop and Mobile applications does not validate data coming from online services #5140

ManuGowda opened this issue Jul 3, 2023 · 0 comments · Fixed by #5175
Assignees
@oskarleonard
Labels
type: bug type: security
Milestone
Sprint 104

Comments

@ManuGowda
Copy link
Contributor

ManuGowda commented Jul 3, 2023
edited
Loading

Description

Both lisk-desktop and lisk-mobile receive data from online services, mostly from instances of lisk-service maintained by the Lisk team. That data is used in various functionalities, but most importantly in transaction construction and singing procedures. Some information received from the online services is not sufficiently validated.

A proper validation must comprise two phases:

  • Technical, in-code, invisible to a user validations of syntax and basic semantics properties. This type of validation is for example, validation of length, format, and correspondence to other data.
  • Manual validation of the data by a user. Users should be able to manually check and confirm data received from external (and so potentially malicious) endpoints.

image

These screens should contain every piece of information the user needs to make an informed decision on whether to approve or reject the transaction. Specifically, the transaction summary screen (figure 83.2) is missing the chain ID and networks fields which would give the user more context to make their decision.

Recommendation

Show the chain ID and Network fields in the transaction approval screen inlisk-desktop. Validate and show chainID in the lisk-mobile. This will ensure the user has all the information he needs to make an informed decision.

Which version(s) does this affect? (Environment, OS, etc...)

3.0
@ManuGowda ManuGowda added this to the Sprint 103 milestone Jul 3, 2023
@sridharmeganathan sridharmeganathan mentioned this issue Jul 4, 2023
Closed
@ManuGowda ManuGowda assigned ManuGowda and oskarleonard and unassigned ManuGowda Jul 13, 2023
@oskarleonard oskarleonard mentioned this issue Jul 13, 2023
Merged
@github-project-automation github-project-automation bot moved this from Backlog to Done in Lisk Desktop Version 3.0.0 Jul 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oskarleonard oskarleonard

Labels
type: bug type: security
Projects
No open projects
Lisk Desktop Version 3.0.0
Status: Done
Milestone
Sprint 104
Development

Successfully merging a pull request may close this issue.

Show chainid networkfields on transaction approval LiskHQ/lisk-desktop
3 participants
@ManuGowda @oskarleonard @sridharmeganathan