Security Audits

TezBox Wallet
Sep 7, 2018 · 3 min read

TezBox was extremely fortunate to be funded by the Tezos Foundation for two security audits; the first was from a well known expert in the security field, and the second by LeastAuthority. Both have worked on audits for the Tezos core protocol and other Tezos related tools.

Both Security Audits found that the TezBox codebase was well structured, easy to read, and followed security best practices. This article aims to share details about the findings of the audits and the changes we made to comply with the recommendations.

SSL Certificate and Security Headers

Our first audit noted that the SSL certificate used by our backend nodes (TezRPC) weren’t as secure as they could be. We made changes to improve the level of encryption and update the underlying SSL software used. We also added a few additional security headers to the web wallet server — these were Content-Security-Policy and X-XSS-Protection.

Although these recommendations didn’t compromise a user’s private key, they made sense to comply with.

Outdated libraries and unused code

Our first audit also recommended that we update one of the 3rd party libraries we use, as the updated version was 100% compatible with our software and there was no reason to continue using an older version. We were also recommended to remove a portion of unused code — this code originally provided legacy support for early wallet creators, but at that stage was no longer used. It made sense to remove this piece of code, as it provided no functionality to the overall software.

These recommendations did not directly affect the security of the software, but were sensible observations.

Weak password requirements

Prior to the audit, the only password requirements enforced was the length of the password — it had to be more or equal to 8 characters. The second audit recommended that we force stricter passwords. Our new password validation requires the following:

1. Min 8 characters
2. Must contain alpha characters
3. Must contain at least one lower/uppercase character
4. Must contain at least one other character type (number or symbol)
5. Must not contain any whitespace

This change made sense to provide a better and more secure experience for the end user.

Chrome extension

The LeastAuthority audit found a number of flaws with the Chrome Extension — none of which compromised a users’ private key, but could potentially force a user to accidentally authorize a transaction (via spamming the user with TezBox authorization requests). The audit also found a few issues with the user interface.

We remedied this by removing the developer API and switching the Chrome extension from using a popup to a separate tab. This is similar to recent changes made by Metamask, and allows us to revisit the developer API in future.

Note: Another issue was detected, which did allow an attacker with direct access to a users computer the ability to retreive the private key. This issue was patched earlier, but the change hadn’t been pushed to the GitHub repo so was still present in the code being audited.

Conclusion

We are really happy that TezBox has successfully completed two security audits by industry professionals, and are grateful that the Tezos Foundation have funded these. We will continue to develop TezBox, whilst maintain the highest security standards to keep our users safe.

TezBox Wallet

Written by

TezBox is a community developed wallet for the Tezos network that is cross-platform, open-source and decentralized - https://tezbox.com