Cirus

We express our gratitude to the Cirus team for the collaborative engagement that enabled the execution of this Pentest.

Cirus Foundation aims to empower individuals by enabling them to own, manage, and monetize their personal data.

The system users should acknowledge all the risks summed up in the risks section of the report

Threat Model and Assessment Overview

This threat model summarizes the security assessment conducted for the Cirus Chrome Extension, reflecting the actions taken by the client to address previously identified vulnerabilities. The client has successfully mitigated issues related to sensitive data exposure, excessive permissions, and weak security configurations. Additionally, the robust proxy protection mechanism, noted as a significant strength, continues to provide an effective layer of security. All vulnerabilities identified in the GraphQL endpoint and other areas have been resolved to enhance overall security.

Threat Use Cases

Data Interception

Objective: Assess the risk of sensitive data (e.g., user credentials, wallet information) being intercepted during transmission. Updated Assessment:

• Previously identified exposure of sensitive information, such as OTPs, and user credentials in memory heap snapshots, has been resolved through improved memory management practices. Result: Fixed – Sensitive data is now protected, significantly reducing the risk of interception or compromise.

Script Injection

Objective: Test the extension’s UI for vulnerabilities to malicious script injection. Updated Assessment:

• The Content Security Policy (CSP) has been resolved because it was originally added for a specific purpose, likely related to the Web3 authentication integration and the use of their SDK or Ethereum libraries, though the exact details are unclear at this time. Result: Resolved

Permissions

Objective: Examine whether the extension’s permissions could be misused to perform unauthorized actions. Updated Assessment:

• Permissions requested in the manifest file is intentional and aligns with the platform's purpose. Result: Fixed

API Abuse

Objective: Test the security of backend APIs against unauthorized access or abuse. Updated Assessment:

• The existing proxy protection continues to add a robust layer of security.

• Previously discovered GraphQL vulnerabilities, including insecure token usage and role enumeration, have been resolved by disabling the end. Result: Fixed – Backend APIs, including GraphQL endpoints, are now fully disabled and protected from abuse.

Data Leakage

Objective: Verify if sensitive user data is inadvertently exposed through local storage, cookies, or logs. Updated Assessment:

• Exposure of mnemonic phrases, hash in memory heap snapshots has been accepted since is not a traditional mnemonic phrase but a secondary authentication method required when users switch devices..

• Local storage and browser cookies remain securely managed. Result: Accepted

Vulnerable Dependencies

Objective: Assess the use of third-party libraries or frameworks for known vulnerabilities. Updated Assessment:

• All third-party dependencies will be updated to the latest secure versions, during the first half of the year. Result: Accepted

Insecure Password Policy

Objective: Evaluate the strength of the password policy implemented by the extension. Updated Assessment:

• The password policy is not supported by Cognito, and implementing this functionality on the client’s end is not feasible due to the absence of password storage in their database. Result: Accepted

Misleading OTP Validation Feedback

Objective: Verify the user experience and security of OTP validation mechanisms. Updated Assessment:

• The feedback provided during OTP validation will be revised to prevent in the future. Result: Accepted

Conclusion

The client has implemented comprehensive measures to address all identified vulnerabilities, significantly enhancing the security of the Cirus Chrome Extension. A key improvement involved removing access to an outdated GraphQL endpoint no longer in use, which accounted for many of the vulnerabilities identified during the assessment. In addition to this critical update, the client has introduced several other mitigations and improvements, ensuring the extension aligns with industry best practices for security. These enhancements provide robust protection for sensitive data, APIs, and user interactions, strengthening the extension's overall security posture and substantially reducing the risk of potential compromises.

Cirus Foundation aims to empower individuals by enabling them to own, manage, and monetize their personal data. By leveraging blockchain technology, Cirus provides tools that allow users to transform their data into cryptocurrency assets, fostering greater participation in the digital economy.

Key Offerings:

• Cirus Browser Extension: A tool that facilitates data ownership and monetization, allowing users to earn cryptocurrency as they browse the internet.

• Cirus Device: A hardware solution designed to integrate with home networks, enhancing data collection capabilities and user rewards.

• Cirus Platform: An ecosystem that connects users, data consumers, and service providers, ensuring transparent and fair data transactions.

Project Overview Cirus Chrome Extension

The Cirus Chrome Extension is a multi-chain cryptocurrency wallet designed to empower users to earn cryptocurrency while browsing the web. This innovative tool integrates Web3 functionality with crypto asset management and data monetization.

Core Features

1. Data Monetization: Enables users to earn rewards by passively sharing their browsing data while maintaining control over privacy.

2. Multi-Chain Crypto Wallet: Supports secure management of multiple cryptocurrencies, with options for seamless crypto transactions and swaps.

3. Web3 Integration: Provides users with direct access to the decentralized web, integrating seamlessly into the broader Cirus ecosystem.

Permissions

The extension requests permissions to enhance functionality:

• Browser interactions: Tabs, bookmarks, cookies, browsing history, and top sites.

• System integration: Access to system resources like CPU, memory, and display.

• Geolocation and identity management: Allows personalized and location-based services.

• Other functionalities: Web navigation, alarms, and windows management.

Technical Architecture

• Manifest Version: Built on Chrome Extension Manifest v3 for enhanced security and performance.

• Background Service: A service worker (service-worker-loader.js) ensures continuous background functionality.

• Content Security Policy: Implements strict security policies to prevent unauthorized scripts or data leaks.

• Default Interface: A popup interface (index.html) for user interaction.

The scope of the project includes the following :