Hi Flow Wallet team,
I'm a security researcher. During a review of the Flow Reference Wallet Chrome extension (currently distributed on Chrome Web Store), I identified multiple critical cryptographic vulnerabilities in the Google Drive backup encryption implementation.
These issues allow offline extraction and brute-force decryption of wallet private keys from cloud backups with minimal computational cost.
Severity: 2× Critical, 1× High
Affected component: Backup encryption (Google Drive cloud backup feature)
Status: Verified with working PoC against the production Chrome Web Store build (v2.9.4)
I do NOT want to disclose details publicly. The HackenProof bug bounty program for Flow Wallet is currently closed (83 days until reopening), and this repository has no SECURITY.md or private vulnerability reporting enabled.
Could you please provide a secure channel (email, private advisory, or similar) so I can share the full report and proof-of-concept?
Thank you.
@zzggo @lmcmz @caosbad
Hi Flow Wallet team,
I'm a security researcher. During a review of the Flow Reference Wallet Chrome extension (currently distributed on Chrome Web Store), I identified multiple critical cryptographic vulnerabilities in the Google Drive backup encryption implementation.
These issues allow offline extraction and brute-force decryption of wallet private keys from cloud backups with minimal computational cost.
Severity: 2× Critical, 1× High
Affected component: Backup encryption (Google Drive cloud backup feature)
Status: Verified with working PoC against the production Chrome Web Store build (v2.9.4)
I do NOT want to disclose details publicly. The HackenProof bug bounty program for Flow Wallet is currently closed (83 days until reopening), and this repository has no SECURITY.md or private vulnerability reporting enabled.
Could you please provide a secure channel (email, private advisory, or similar) so I can share the full report and proof-of-concept?
Thank you.
@zzggo @lmcmz @caosbad