TonConnect SDK Phishing Threat Emerges in Booming TON Ecosystem

By: SlowMist Security Team,SlowMist Technology

Background:

As the TON ecosystem heats up, Web3 phishing groups have begun to enter the TON battlefield. Currently, the TON ecosystem uses the TonConnect SDK to solve the problem of cross-platform/application walletconnection and interaction. Such solutions inevitably encounter a challenge: how to solve domain verification during cross-platform/application communication?

Typically, to ensure users can verify the source ofa DApp or signature request when connecting their wallets, wallets will display the source domain on the request approval page. This helps users better verify and confirm whether the request source matches their intended action, preventing them from falling victim to fraudulent signature requestsfrom malicious sources.

The SlowMist security team has previously discovered domain verification security issues in cross-platform/application communication between wallets and DApps. We have communicated with the MetaMask SDK and WalletConnect Web3Modal project teams, finding thatthis issue is difficult to address. Therefore, MetaMask and WalletConnect have not yet fully resolved this issue.

Recently, we discovered that the TonConnect SDK in the TON ecosystem also suffers from the same problem. We are disclosing this information to help users identify and mitigate such risks.

Analysis:

Typically,when a browser extension wallet interacts with a DApp, a JS script (content script) is injected into the webpage to forward messages between the webpage and the browser extension. The webpage and content script communicate using window.postMessage and window.addEventListener. window.addEventListener can further process messages by obtaining themessage’s origin. Specific operations include displaying the origin of the message in the browser extension wallet, checking if the message origin is on a blacklist, and authenticating the message origin. Since the origin relies on browser-provided functions to obtain, it cannot be forged.

However, during cross-platform/application message communication,messages are usually forwarded through a message forwarding server. This server has difficulty checking the domain from which the message originated (as client data can be forged), leading to the possibility of message source spoofing. Here are two scenarios for cross-platform/application message communication:

Browser Webpage \u003c=\u003e Message Forwarding Server \u003c=\u003eWallet APP
Other APP \u003c=\u003e Message Forwarding Server \u003c=\u003e Wallet APP

Taking the TonConnect SDK as an example, DApps use the TonConnect SDK as a tool for message communication between wallets and DApps. When integrating the TonConnect SDK, developers need to configure the dappMetaparameter. This parameter contains information about the DApp, including its name, icon, and domain.

The Problem:

The TonConnect SDK does not perform domain verification during message forwarding. This means that malicious actors can forge the origin of messages sent to the wallet, potentially leading to phishing attacks. For example, amalicious DApp could send a message to the wallet claiming to be from a legitimate DApp, tricking users into approving transactions or revealing sensitive information.

Mitigation Strategies:

Implement Domain Verification: The TonConnect SDK should implement a mechanism to verify the domain of the DApp sending messages. This couldinvolve using a trusted source of domain information, such as a blockchain-based registry, or requiring DApps to provide a cryptographic signature to authenticate their origin.
User Education: Users should be educated about the risks of origin spoofing and be encouraged to carefully review the source of messages before approving any transactions orproviding sensitive information.
Improved Wallet Security: Wallets should implement additional security measures to protect users from origin spoofing attacks. This could include displaying a warning message when a message is received from an untrusted source or requiring users to manually confirm the origin of the DApp before approving any actions.

Conclusion:

The origin spoofing vulnerability in the TonConnect SDK poses a significant risk to users in the TON ecosystem. By implementing domain verification and user education measures, developers and wallet providers can help mitigate this risk and ensure a safer and more secure experience for users.

References: