Zecwallet HTML Rendering in Memos and the possibility of Phishing Attacks

I noticed that the memo field allows a rendering of a subset of HTML. Thankfully it isn't wired into the networking stack which means it can't load remote resources (so there are no privacy implications).

However, because you can load local images (including images that are bundled with the application), it is possible to render memos that could result be made to look kind of like they are coming from the app itself, and thus enable phishing-style attacks: for an example see the screenshot below for a quick proof-of-concept that I put together.

There are arguments to make on the merit of leaving richtext rendering enabled in memos, and probably requires a wider discussion regarding how the wallet wants to support different kinds of memo applications.

Personally, I'd recommend disabling them (at least by default) for now until such a conversation has happened and a more robust design is in place.

• log sec-research