<a​zxswed:matrix.org> You have a vulnerability cryptocurrency wallet has public and secret keys in the app so it shouldn't be that way

Hi. I attempted to post 2 issues using an anonymous GitHub account, but the account was shadowbanned for using Tor. I will post the 2 issues below. I will linger in this IRC for about an hour if anyone has questions.

[Bug - Privacy] Wallet information logged in plaintext

`monero-wallet-gui.log` stores plaintext information, including wallet directories and wallet public addresses. This is a vulnerability when adversaries have access to ones computer, as it links public addresses to their identity, and proves the existence of one or multiple wallets that were at one point connected to the computer. I have not found a way to disable this plaintext logg

[Feature - Privacy] Disable unencrypted persistence on a per-wallet basis

When locking a wallet and closing the GUI, reopening GUI will automatically prompt you to log back in with that same wallet. As no password has been entered at this point, I assume the wallet path is stored somewhere unencrypted. This is a vulnerability when adversaries have access to ones computer, as it proves the existence of one or multiple wallets that were at one point connecte

d to the computer, which may have otherwise gone undiscovered. See also: above. I think it would be wise to include a way to disable all unencrypted persistence of any kind on a per-wallet basis, including at least wallet paths and plaintext logging.

First pasted issue "Wallet information logged in plaintext" was incomplete, below is remainder of its text:

ing. Setting `Log Level` to 0 in the GUI still outputs a sparse plaintext log, and public addresses are still included in that output.

I think if an adversary has access to user's computer, they can do far more malicious things than just finding wallet file paths. They can scan the whole disk to find wallet files, install a keylogger/memory grabber and just steal unencrypted wallet keys when the user opens their wallet

My use case would be plausable deniability of an additional wallet not connected/accessible to the computer at the time my adversary has access to it. Such as a wallet stored on an encrypted external harddrive. With logging, the existence of this additional wallet cannot be denied.

you can delete wallet log files at exit, or use monero-wallet-cli (it doesn't log much)

as for the external hard drive - it's best to make it bootable and install something like Tails OS on it, and open wallets from there. It will not leave any traces in your regular OS installation.

Understood regarding Tails. But this seems like a needless attack surface regardless, why log sensitive information to plaintext? As for deleting wallet log files, can this be automatically done upon exit via settings in the GUI?

I guess it was never looked at as a sensitive information before

Private keys - yes, they're taken care of, but wallet paths were considered harmless

it all depends on your threat level. Some people may even not want any "monero" log files exist at all.

Well, food for thought then :) Any record of wallet paths or associated public addresses visible without having access to the wallet itself is sensitive information in my threat model.

I can see the argument for not logging at all, too. IMO would also be a welcomed setting to introduce.

I will be disconnecting from IRC soon, but thank you for discussing this with me. If possible, I would appreciate if someone with github access could post an issue/feature request on my behalf. I imagine a request to disable all logging would be the most straightforward. As for the last remembered wallet path, I'd consider that less urgent but still of concern and worth mentioning.

Or, perhaps logging could be moved behind wallet encryption.

Anyway, thanks again. Cheers to those working on this software and making Monero more accessible :)

You'd store that setting in... the config file for another commonly used program that doesn't barf upon seeing an unkown setting ?

Not sure I understand the question, moneromooo. Without knowing how GUI Wallet's codebase is set up, I imagine disabling logging could be stored in a config for the GUI wallet application, or on a per-wallet basis. Log level does not reveal any identifying information about a wallet or address.

That'd hide the usage of monero itself.

(unless you enable that logging in the "other" config file)

But that's getting a bit much I guess.

I think for users which wish to hide the usage of Monero itself, sech1's suggestion of an external drive with Tails would make the most sense. If the program is present on ones machine, odds are they are using it.

But disabling logging would only let an adversary know that you use Monero and they can only find wallets currently present on the system, without leaking whether any additional wallets/addresses had been historically accessed.

<3​21bob321:monero.social> I use the app image and store it on a drive with btrfs