Responsible Security Vulnerability Report: Critical Exposure of Private Keys and Seed Phrases via Keystore Session Hijacking (Inleo)

## Introduction & Background to the Security Audit (March 2024) This report is part of a comprehensive documentation on the responsible disclosure of security findings on the Inleo platform. The vulnerabilities described here were identified around March 2024 and immediately reported to the development team. **Purpose of the Documentation** The goal of this audit is to provide transparency regarding past risks and to ensure the continuous improvement of the platform’s integrity. In the world of Web3 technologies, a proactive culture of accountability is essential to securing the community’s trust in the long term. **Risk Assessment and All-Clear** Although the identified vulnerabilities theoretically posed a risk to sensitive user data and cryptographic keys, an objective assessment of the situation is crucial: - **No Evidence of Exploitation:** Based on current information and thorough investigation, there is no indication that these or other vulnerabilities reported during this period were actively exploited by third parties. - **Data security:** There is no evidence that user information, private keys, or other sensitive data has been leaked to unauthorized third parties. - **Preventive measures:** The prompt reporting and subsequent rapid implementation of security fixes by the Inleo team effectively closed the window of opportunity for potential attacks before any damage could occur. **Conclusion** These reports serve to document and provide evidence of a successful collaboration between independent security researchers and platform operators. They underscore the shared goal of making Inleo one of the most secure gateways in the Hive ecosystem. --- Report Date: May 2024 Researcher: louis88 **Status: Resolved** Severity: Critical (Emergency) ### Introduction & Audit Context This report is part of a series of Responsible Disclosure documents regarding security audits conducted on the InLeo platform around May 2024. This documentation is provided to ensure transparency regarding past vulnerabilities and to highlight the successful remediation efforts that have since secured the platform. **Reassurance & Data Integrity Statement** While the vulnerability described below presented a significant theoretical risk to user assets, it is important to emphasize the following: - No Evidence of Abuse: There is currently no evidence or indication that this specific vulnerability was exploited by any malicious third party. - No Data Leakage: To the best of our knowledge, no user information, private keys, or seed phrases were exfiltrated or leaked to unauthorized entities. - Proactive Resolution: The vulnerability was identified, reported, and patched immediately by the InLeo development team, closing the risk window before any damage could occur. ### Summary A critical vulnerability was discovered involving the Keystore Login Feature. When users authenticated using this feature, their entire Keystore—including all private keys and seed phrases—was stored within the session JWT (JSON Web Token) on the inleo.io domain. Due to the ability to upload HTML files to the img.inleo.io subdomain (as documented in previous reports), a malicious actor could host a script that extracted this JWT, decrypted/decoded it, and exposed the plaintext keys of any user who visited the malicious link. ### Technical Analysis **The Keystore Vulnerability** The "Keystore" was designed to provide a seamless user experience by managing Hive keys. However, the implementation at the time involved placing the Keystore's sensitive contents into the browser's session storage/cookies. **The Exploit Vector: Subdomain Cookie Access** Because the __session cookie was scoped to the parent domain (.inleo.io), it was accessible to any page running on a subdomain, including the image server (img.inleo.io). **Proof of Concept (PoC)** JWT Extraction: An HTML file uploaded to the image server could programmatically read the session cookie. Decryption/Decoding: Al […]