The Monero web wallet says it has undergone a successful security review by an independent provider, with analysts concluding “a number of potential vulnerabilities” have now been fixed, with their risks mitigated.
XMRWallet’s infrastructure was audited by New Alchemy, a blockchain strategy and technology advisory group. During its tests in June 2018, the application’s web traffic and user interface were inspected, all with the aim of uncovering security flaws that could affect trustworthiness.
In its report[1], New Alchemy concluded: “The XMRWallet application exhibits a high-quality user experience, a modern development approach, and a clear separation of client and server functionality. However, the security review has identified a number of potential vulnerabilities.”
Although these issues varied in severity — some minor, some critical — New Alchemy’s assessment concluded all these flaws were fixed. Examples included the “potentially risky usage of JavaScript” along with the “inadvisable display of private fields and input auto-completion.”
Following retesting — with XMRWallet[2] given advice on ways to mitigate certain issues — New Alchemy said all seven critical issues had been fixed. All but one of the moderate issues raised were addressed, with the last one being reclassified as a “general concern” instead of a security issue. Three minor issues were also fixed, and another three were partially fixed or described as “informational.”
The report added: “The XMRWallet application provides an excellent and intuitive user interface. Each aspect of the application was exercised, including value transfers to and from multiple counter-parties. The code organization and development process facilitated understanding how components fit together. A key strength of the application is minimal endpoints, minimal external data dependencies and minimal unrelated web traffic.”
Overall, New Alchemy said the fixes didn’t require a
