[miguelmota]

The hedgehog library is completely unsafe considering that any third party library or browser extension loaded in the website using the SDK can loop through localStorage to read the entropy value therefore recreating the hd wallet and stealing the user's account.

[xrd]

This.

This is why FinneyFor uses an iFrame to keep the private key safe in localStorage only accessible from JS running on the same domain. FinneyFor uses postMessage to communicate between the parent frame when payment is processed, so you get the benefits of creating transactions in any kind of browser, but none of the risks as the parent rightfully points out.

https://finneyfor.com/

[roneil]

We documented this here: https://audiusproject.github.io/hedgehog-docs/#security-cons...

This is why we recommend that you audit all 3rd-party Javascript in your app for accesses to localstorage, and avoid sourcing 3rd-party javascript from uncontrolled origins (the code could be switched out from under you if it is not baked into your application)

The post message model is an interesting one - we looked into designing Hedgehog in that way, but decided it ultimately did not help solve this issue and created unnecessary complexity. If you include Javascript from libraries or other origins on your page, eg. Google Analytics, that Javascript could still post-message into your iframe.

Perhaps we are wrong here though! Is FinneyFor open-source? Would love to see how this is implemented.

[xrd]

We don't have any other js libraries on FinneyFor so there would never be that problem.

Auditing the source code of all libraries is a tall order. And, even if you don't find a bug, there still might be some that someone else could exploit with bugs in your code and the js libraries.

Finney For is not open source.