Posted by Ronan, on 12 Jul 2019
Portis is using iframe to display the confirmation buttons This allow a malicious application (trusted enough to have made the user signin with portis) to make the following: detect high token value in user's wallet cover the portis iframe with click through element perform a tx to steal the tokens (the portis iframe will come up but will not be visible to the user, it does not know that by clicking on the cover, it will actually click through to the portis confirm button) The tx is then broadcasted and the user loose its token
To solve this the portis iframe confirm button should become a "see details" button that trigger a popup. That popup will be where the user will confirm the tx
Be the first to leave a comment.