-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default settings allow using electrum lnpay $invoice
without any confirmation or password
#9236
Comments
Note: on Linux/macOS, the default is to use unix sockets for the RPC, on Windows we listen on a TCP port on localhost. |
@Midar questioned on IRC how 37d090c / #9238 interacts with hardware wallets. This is a good question and it is complicated to answer. The short answer is that the RPC does not work for encrypted hw wallets. If the standard wallet with hw keystore is not encrypted, then CLI/RPC works without auth both before and after the change. (note that there is always rpcpassword-based authentication, see prev comment, I am only considering any auth after that) If the wallet file is encrypted with a hw device, then offline (meaning If there is a daemon running, note that If there is a GUI running, which I guess is the original motivation for this issue, the equivalent of
Hence, re encrypted hw wallets, to sum up, some commands worked prior to this change but in a really quirky/accidental fashion only -- and now they do not work. Another further note is that maybe malware running on the PC could communicate with the connected hardware device and request the encryption password from it. It depends on hw device type and implementation specifics whether there would be any prompt about this (e.g. a trezor one would prompt for PIN, and potentially passphrase). But note that if an attacker could pull this off, they might as well just copy the wallet file, decrypt it, and do whatever they want there without the RPC. I am reopening this to signal that it warrants some more thought, but I think we could leave master as-is. |
Hm, isn't the wallet always encrypted when using a HW wallet? In any case I'm seeing the lock symbol in Electrum and I can just use |
No, you can click the lock and disable file encryption.
On master? Can you give repro steps? |
No, this was on 4.5.5, waiting for the next signed release before I let this touch my wallet ;). What I meant to say is that before this change at least, it already had access, even with a HW wallet. |
Yes that's already what I meant there ^ |
The default settings allow using
electrum lnpay $invoice
without any confirmation or password. That seems a bit risky, as anyone who can get access to the socket gets to spend all available LN balance.The text was updated successfully, but these errors were encountered: