Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: SRP displayed when attempting to reveal private key #8210

Closed
plasmacorral opened this issue Jan 6, 2024 · 0 comments · Fixed by #8211
Closed

[Bug]: SRP displayed when attempting to reveal private key #8210

plasmacorral opened this issue Jan 6, 2024 · 0 comments · Fixed by #8211
Assignees
@gantunesr
Labels
android Android specific issue area-UI iOS regression-prod-7.12.3 Regression bug that was found in production in release 7.12.3 release-7.15.0 Issue or pull request that will be included in release 7.15.0 secret recovery phrase Sev1-high An issue that may have caused fund loss or access to wallet in the past & may still be ongoing team-accounts type-bug Something isn't working type-security

Comments

@plasmacorral
Copy link
Contributor

plasmacorral commented Jan 6, 2024
edited
Loading

Describe the bug

After completing the SRP quiz and revealing the SRP if the user does NOT tap DONE CTA, then subsequent attempts to reveal the private key actually display the SRP value. User will remain in this predicament of showing the SRP when attempting to reveal private key until DONE is tapped and user is returned to settings>security and privacy, only then will attempts to reveal the private key value actually show the private key value.

This was discovered in feature QA on #8035 and confirmed in production v7.12.5 build 1235 on iOS 15.6.2 and 7.12.3 build 1230 on Android 12.

Expected behavior

  1. SRP should never be displayed unless user has asked to do so though settings>security and privacy> reveal SRP (or through initial protect your SRP flows) and user must satisfy the quiz, password authentication, as well as tap and hold to reveal before the value is presented.
  2. Revealing the private key should always require that the user password authenticates and satisfy tap and hold to reveal private key, independant of SRP reveal
  3. SRP string should never be presented as though it is the private key string

Screenshots/Recordings

Video: https://recordit.co/bC3czCRgh7
`

Steps to reproduce

  1. Have a wallet configured with SRP backed up and be at wallet view
  2. Tap settings gear
  3. Tap Security & Privacy
  4. Tap Reveal Secret Recovery Phrase
  5. Tap Get started
  6. Complete the quiz
  7. Supply password
  8. Tap Next
  9. Tap and hold Hold to reveal SRP
  10. When SRP is displayed do NOT tap Done
  11. Tap Wallet on bottom left to return to wallet view
  12. Tap 3 dots next to public address
  13. Tap Show private key
  14. Note lack of password or tap and hold to reveal
  15. Note reference to SRP up top as well as SRP string displayed while referencing private key

Error messages or log output

No response

Version

7.12.3

Build type

None

Device

iPhone 13 mini and Samsung a515f

Operating system

iOS, Android

Additional context

No response

Severity

No response
@plasmacorral plasmacorral added type-bug Something isn't working area-UI android Android specific issue iOS Sev1-high An issue that may have caused fund loss or access to wallet in the past & may still be ongoing secret recovery phrase team-accounts type-security labels Jan 6, 2024
@metamaskbot metamaskbot added the regression-prod-7.12.3 Regression bug that was found in production in release 7.12.3 label Jan 6, 2024
@gantunesr gantunesr mentioned this issue Jan 7, 2024
Merged
13 tasks
@gantunesr gantunesr self-assigned this Jan 7, 2024
@metamaskbot metamaskbot added the release-7.15.0 Issue or pull request that will be included in release 7.15.0 label Jan 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gantunesr gantunesr

Labels
android Android specific issue area-UI iOS regression-prod-7.12.3 Regression bug that was found in production in release 7.12.3 release-7.15.0 Issue or pull request that will be included in release 7.15.0 secret recovery phrase Sev1-high An issue that may have caused fund loss or access to wallet in the past & may still be ongoing team-accounts type-bug Something isn't working type-security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: unmount Settings on blur to hide credential MetaMask/metamask-mobile
3 participants
@gantunesr @plasmacorral @metamaskbot