Skip to content

S08:2023 - Sensitive Data Handling 🛡️🔐

Overview

The potential leakage of sensitive data can have severe consequences. Whether it's the unnecessary use of a low-level key API, improper storage of sensitive information, or negligent logging practices, this category ranks at #8 in the Snap Security Top 10

Description

Sensitive data handling encompasses the secure management of information that, if compromised, could lead to financial loss, privacy violations, or unauthorized access to user accounts. This includes, but is not limited to, private keys, user credentials, transaction details, and personal information. Establishing robust protocols for the entire lifecycle of sensitive data—from collection to disposal—is essential for maintaining the integrity and confidentiality of the Snap.

  • Incorrect storage of sensitive information.
  • Private key logged to console.
  • Debug logging in production mode.
  • Information disclosure in error messages.

How to Prevent

  • Collect only the necessary data required for the operation of the Snap, minimizing the amount of sensitive information stored or processed.

  • Implement secure storage practices for sensitive data, including the use of encryption, and access controls (origin checks) to prevent unauthorized access.

  • Clear buffers that stored sensitive information.

  • Do not log sensitive information.

Example Misuse Scenarios

Scenario #1: Private key stored in Snap

In this scenario, a Snap retrieves the root key entropy for a specific chain from MetaMask and then caches it in the Snap storage. Instead of caching sensitive information in Snaps it is suggested to keep them with the MetaMask core and ask for the entropy whenever it is needed, clearing buffers after use.

Scenario #2: Address calculations

In this scenario, a Snap asks the MetaMask core to provide the Ethereum key entropy to calculate account addresses. Instead of using the low-level API the Snap should fall back to the safe account API to retrieve account addresses directly, leaving no space for keys to be leaked.

Scenario #3: Logging

In this scenario, a Snap logs objects to console. These objects may contain sensitive information such as addresses or unencrypted private keys (see Scenario #2).

Furthermore, consider disabling the logging to console in production builds.