Authors: Andreas Gassmann
Status: Complete, action items in progress
Root Causes: The beacon-sdk used
Resolution: Two separate mitigations were implemented:
- The origin of the data the SDK receives through the
postMessageinterface is now checked and messages from unsafe origins are ignored.
- The UI no longer uses
Detection: The vulnerability was found by Maciej Domanski, Security Engineer at Trail of Bits, during a security review of another project. After discovering that the beacon-sdk was the cause of the issue, the Trail of Bits team privately reached out to us to disclose the vulnerabilty.
|Update beacon-sdk to fix vulnerability||mitigate||andreas||COMPLETE|
|Monitor dApp ecosystem and reach out to developers||mitigate||andreas||IN PROGRESS|
- The vulnerability was found, fixed and most dApps updated in a little over a week. A huge thanks to the community for reacting quickly.
- As far as we are aware, the vulnerability has not been actively exploited.
- The security vulnerability only affected dApps. Wallets and the Beacon Network were not affected.
(all times UTC)
- 2022-04-05 20:30 The Trail of Bits team reached out to the Beacon team to inform us of a security vulnerability they found in the beacon-sdk during one of their audits
- 2022-04-05 23:00 The Beacon team was able to verify the vulnerability and started planning the fix and its rollout
- 2022-04-06 18:00 A proof of concept of the mitigations was implemented and fixed the security vulnerability
- 2022-04-07 17:00 Both mitigations were implemented and an internal review was started
- 2022-04-08 11:30 The fix was released to NPM with the version number
- 2022-04-08 12:00 The Beacon team started privately reaching out to dApps in the Tezos ecosystem, informing them that a new update is available and urging them to update as soon as possible
- 2022-04-08 18:00 A small fix was deployed to address build issues with server side rendering, beacon-sdk version
- 2022-04-11 12:00 More dApps were contacted and notified about the update
- 2022-04-12 23:30 The vulnerability has been posted in various developer communities
- 2022-04-13 15:00 The vulnerability has been publicly disclosed
We want to thank all the developers in the Tezos ecosystem that were involved in addressing this issue as soon as possible in a very effective manner.
Special thanks to the Trail of Bits team for reporting the vulnerability, as well as the Ecad Labs, Tezos Commons, Codecrafting Labs and Kukai Wallet teams for helping us coordinate the communication in the Tezos Developer ecosystem.