Missing confirmation in the ECDHSessionKey call

Reportado em November 26, 2023

The Trezor Safe 3 returns the ECDHSessionKey without requiring appropriate user interaction, resulting in the omission of address confirmation screens in the user interaction workflow.

This concerns only the SSH functionality in Trezor and was fixed in 2.6.4.

Reportado por Mathias Herberts

Trezor Safe 3

Vulnerabilidades resolvidas

Reportado pela comunidade. Investigado. Resolvido. Porque sua segurança nunca é opcional.

Inability to cancel certain flows on pre-production firmware
31 de outubro de 2025
Donjon's Trezor Safe 3 evaluation
12 de novembro de 2024
XSS in Trezor Connect legacy versions
7 de fevereiro de 2023
Insufficient field size check in Protobuf
12 de julho de 2021
XSS in Trezor Connect
3 de agosto de 2020
Missing path isolation check
14 de julho de 2020