Coinspect discovered a vulnerability in over 27 software wallets which could allow malicious websites to deceive users into sending all their funds to attackers. The root cause was a lack of input validation that allowed arbitrary text, including empty lines and Unicode characters, to be displayed as part of the signature request. This flaw made it feasible for attackers to craft and present misleading messages that appeared as genuine elements of the wallet’s user interface.
In the example screenshot below, the wallet displays a fake transaction simulation, impersonating the wallet. This hides a ‘Permit’ message (unlimited allowance) concealed beneath several whitespace lines.
Interested in learning more about the vulnerability technical details and which wallets were affected ?