XSS in Trezor Connect legacy versions

報告日：February 7, 2023

We were notified by Jun Kokatsu that there were XSS vulnerabilities, similar to those reported in August 2020. These vulnerabilities were present in the deprecated versions of Trezor Connect that were however still available to legacy implementations on urls https://trezor.connect.io/5, https://trezor.connect.io/6 and https://trezor.connect.io/7.

This issue posed a potential threat of a phishing attack which could gain more trust by changing content served from the trezor.io domain. The issue was fixed by removing those affected versions completely.

報告者 Jun Kokatsu

Trezor Connect

修正済みの脆弱性

コミュニティからの報告により、調査を行い、問題を解決しました。あなたのセキュリティは常に最優先です。

Donjon's Trezor Safe 3 evaluation
November 12, 2024
Missing confirmation in the ECDHSessionKey call
November 26, 2023
Insufficient field size check in Protobuf
July 12, 2021
XSS in Trezor Connect
August 3, 2020
Missing path isolation check
July 14, 2020
Malicious change in mixed transactions
March 7, 2020