Issue #275: Redux DevTools Exposure of Private Keys in Steemit Wallet (Next.js)
🔐 Issue #275: Redux DevTools Exposure of Private Keys in Steemit Wallet (Next.js)
The Issue
In the Next.js branch of the Steemit Wallet (src/lib/store/index.ts), Redux DevTools is enabled by default in development builds. This means the full Redux state tree is visible in the browser's DevTools panel.
Currently, when a user authenticates, private keys are stored in auth.privateKey within the Redux state. Because Redux DevTools serializes and displays the entire state by default, these private keys become visible to anyone with access to the browser's developer tools—including the end user, but also potentially malicious scripts or unintended observers during development, debugging sessions, or screen-sharing.
Why This Matters: Security Implications
1. Accidental Credential Leakage
- Developers or testers may inadvertently capture screenshots, recordings, or logs that include the DevTools panel
- Remote debugging setups or browser extensions could exfiltrate state data
- Shared development environments increase the blast radius of exposure
2. Development ≠ Safe by Default
While development environments are often considered "trusted," wallet applications handle high-value credentials. A private key exposed in DevTools during local testing can still be:
- Copied and misused before the session ends
- Harvested by XSS payloads if the dev server is misconfigured or exposed
- Persisted in browser history or extension storage
3. Violation of Least-Privilege Principle
Even transient exposure of raw private keys in a serializable, inspectable store contradicts secure credential handling practices. Keys should be:
- Held in non-serializable, closure-scoped memory when possible
- Never rendered in developer-facing tooling without explicit sanitization
4. Audit & Compliance Concerns
For any project handling cryptographic keys, having sensitive material visible in standard debugging tooling complicates security reviews and may fail internal or external audit requirements.
Planned Resolution
Once PR #274 is merged, I will push a follow-up commit that adds stateSanitizer and actionSanitizer to the devTools configuration in src/lib/store/index.ts.
This change will ensure that:
- The
auth.privateKeyfield is masked (e.g., replaced with***REDACTED***) before being sent to Redux DevTools - Actions that carry private key payloads are similarly sanitized
- The functional behavior of the store remains unchanged—only the debug output is affected
This is a minimal, targeted fix that preserves developer experience while eliminating accidental credential exposure in the most common development workflow.
Summary
| Aspect | Detail |
|---|---|
| Issue | Redux DevTools displays raw private keys stored in Redux state during development |
| Location | src/lib/store/index.ts → auth.privateKey |
| Risk Level | Medium-High (development-only, but high-impact if exposed) |
| Fix Scope | Add sanitizers to DevTools config; no runtime behavior changes |
| Dependency | Follows merge of #274 |
This issue highlights an important reminder: even in development, credential handling in wallet applications demands deliberate safeguards. The upcoming fix ensures that debugging convenience does not come at the cost of security hygiene.
If you think my contributions matter and you want to support further development for the STEEM ecosystem, please consider voting for my witness: blaze.apps
🗳️ Vote Here:
Vote for blaze.apps Witness