Friend.tech website version launched! But potential cybersecurity issues discovered?

The social platform friend.tech can be said to be the hottest application in the recent cryptocurrency community, and today (21) it officially launched its web version, allowing users to use it on a computer. However, 0xngmi, the founder of the data platform DeFiLlama, found several issues after checking friend.tech, believing that if its front end is hacked, it could lead to significant losses.

Security Risks of friend.tech

According to 0xngmi, several issues were discovered in the security model of friend.tech after conducting a check:

1. If the frontend of friend.tech is hacked, hackers can steal funds by directly embedding an iframe to send ETH.
2. If the iframe of a company supporting friend.tech's built-in wallet technology, such as privy, is hacked, hackers can steal funds because privy holds the private key.
3. If privy ceases operation or loses data, users will lose their assets as privy holds 2/3 private key fragments.

According to privy's private key storage mechanism, the private key is divided into 3 fragments, and possessing any 2 fragments can form the complete private key.

Since friend.tech does not require users to enter a mnemonic phrase, 0xngmi believes that, in addition to Auth share, Recovery share's private key fragments are also held by privy.

In response, 0xngmi warns that if friend.tech is subjected to the same webpage frontend attack as Balancer, assets could be lost simply by opening the webpage, without the need for any action.

Event Review: Balancer Frontend Hacked! Estimated Loss of $238,000

Furthermore, 0xngmi also reminds that scenarios where the webpage frontend saves user's private keys also appear in friend.tech's forked platform. Therefore, malicious upgrades to the webpage frontend by hackers may lead to the loss of private keys and assets.