XSS in Trezor Connect legacy versions #47

mroz22 · 2023-03-16T15:17:01Z

mroz22
Mar 16, 2023
Collaborator

Impact: Possible phishing attack
Scalability: Remote (Interaction)
Severity: Medium
Reported by: Jun Kokatsu
Date reported: 2023-02-07

Details

We were notified by Jun Kokatsu that there were XSS vulnerabilities, similar to those reported in August 2020 (see #46). These vulnerabilities were present in the deprecated versions of Trezor Connect that were however still available to legacy implementations on urls https://trezor.connect.io/5, https://trezor.connect.io/6 and https://trezor.connect.io/7.

We are not aware of any abuse and users funds were safe. This issue posed a potential threat of a phishing attack which could gain more trust by changing content served from the trezor.io domain.

Fix

The issue was fixed by removing those affected versions completely.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trezor

XSS in Trezor Connect legacy versions #47

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 0 comments

Select a reply

Trezor

XSS in Trezor Connect legacy versions #47

mroz22 Mar 16, 2023 Collaborator

Details

Fix

Replies: 0 comments

mroz22
Mar 16, 2023
Collaborator