-
Notifications
You must be signed in to change notification settings - Fork 430
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SECURITY] nethermind is logging the password used for personal_unlockAccount
RPC call
#4185
Comments
We are discouraging to use |
@LukaszRozmej some ppl still using this methods to create accounts or send transactions, it's handy to be able to do that, even geth allows personal namespace and not deleting these methods. There was a debate on this topic also back then on OpenEthereum (parity) and they decided not to delete these methods as they are still used: openethereum/parity-ethereum#9997 Of course for the best security you need to use 3rd party signing, but for testing something it's useful (e.g. testing sending on testnet). |
Geth would like to drop support for it too: https://twitter.com/URozmej/status/1537374156584517632 Nodes are not designed for this and shouldn't be. |
It's useful feature and I'm sure many are still using it who didn't want to invest into creating their own signing system. And many nodes are staying inside internal networks not exposed anywhere. |
Describe the bug
Nethermind logs all RPC requests and their arguments in its logfile. Nethermind does not obfuscate or censor the password argument when
personal_unlockAccount
is called.This behaviour
a) is a potential security risk and
b) against best practices to not log secrets at all and
c) should be avoided
To Reproduce
Steps to reproduce the behavior:
personal_unlockAccount
and see your password in plain textExpected behavior
Logging arguments should be filtered to sanitize secrets in arguments for specific RPC calls
Logs
The text was updated successfully, but these errors were encountered: