Back to security portal
XSS in Trezor Connect
Reported on August 3, 2020
In August 2020, we were contacted by Gamer7112, a security researcher, who reported XSS issues in Trezor Connect. The issues were fixed and deployed to production shortly after.
Trezor Connect
Resolved vulnerabilities
Reported by community. Investigated. Resolved. Because your security is never optional.
- Missing confirmation in the ECDHSessionKey callNovember 26, 2023
- XSS in Trezor Connect legacy versionsFebruary 7, 2023
- Insufficient field size check in ProtobufJuly 12, 2021
- Missing path isolation checkJuly 14, 2020
- Malicious change in mixed transactionsMarch 7, 2020
- OP_RETURN treated as change outputMarch 5, 2020