.merge+ #2896 #2894 #2896 #2897 #2899 #2901 #2903

Added

.merge+ #2905 #2906

Added

I assume this channel has seen this issue? monero-project/monero-gui #2902

I have not.

Ah ok

Well. There it is

Was reported (not via responsible disclosure) via twitter

Someone else posted as an issue

Looks like the fix she suggested is deprecated in Qt 5.15 and I can’t find a different method to disable this.

I’ll let xiphon take a look at this.

Worth mentioning to her on twitter? (I do not have an account, and do not want one)

It would show that the maintainers are aware of the issue now

I commented on Twitter.

Link?

ty

Does it seem like a problem in practice?

sarang: i wouldn't say is a big issue (as big as it is promoted in the twitter post)

no, it does seem like a bs to me

Too bad that the twitter poster feels responsible disclosure is not worth it

although we can and probably will "fix" it (just in case)

(I wholeheartedly disagree with her mentality on this)

i still don't agree that it is a big issue

She does say that it's unlikely to be remotely exploitable

to do this, a user might explicitly want to "inject" some html code where it is not intended to be

but even so

sure, it is unlikely to be exploitable by anyone

Electrum had problems were nodes were able to send html responses which resulted in fake update client dialogs

but I don’t think this is possible here

i still would say that it is not a vulnerability at all

it is like a user entering "rm -rf" in the console

Perhaps a comment on the github issue would also be helpful

but is a bug, though. So we probably could sanitize a user's input

I think her Twitter post was more general and someone asked if this is possible with monero GUI, it didn’t seem like a vulnerability disclosure to me

just in case the user want to do something really dumb

selsta: perhaps, but the thread basically indicated that she didn't intent to responsibly disclose future flaws

a mentality that I think is reckless and unprofessional

but that is unrelated to this particular issue

sarang: read up on her previous tweets now, agree with you

The "I'm an asshole, look at me" mentality is prevalent among those who style themselves security researchers (no idea about this particular case). The apparent glory attracts that type of people.

I don't doubt that this researcher knows her stuff, FWIW

I just disagree with the conclusion that because some projects/companies don't respond well to disclosures, that responsible disclosure isn't still the right thing to do

But again, that's somewhat separate from this particular issue

"Some dude laughed at me when I said please, I won't say please to anyone ever again"

Granted, it's satisfying on the spot.

nooo

been aware of QMLs behaviour on this for quite a while, I committed this on Dec 12 2018; monero-project/monero-gui fe6ce68

AFAIK. QML's default text component is RichText which automagically resolves, for example, <img> tags. This can be problematic with user-input. The attack that I came up with: 1) Create a wallet 2) Create a new contact 3) You give it a name with some HTML in it (had to use some modified monero-core code for this 4) It saves to wallet cache. 5) You send your wallet + wallet cache to victim 6) Victim opens

wallet in GUI which will ping back to you upon rendering. 7) You have his IP (h0h0h0)

I think we also discussed this around Dec 12 2018, specifically how Qt automagically resolves HTML tags in richtext components. Then 1.5 weeks later we get this: zdnet.com/article/users-report-losi…-in-clever-hack-of-electrum-wallets

My conspiracy theory is that someone here read that.

<8')

dsc_: lol usercontent.irccloud-cdn.com/file/8…ot%202020-05-14%20at%2001.58.32.png

hahaha

but like xiphon mentioned, no way to trigger this remotely

so its not really a vuln

but we have to be careful on where we place RichTexts