[Security] Disable Qrcode display to avoid passphrase stealing

Describe the bug

Right now, the passphrase and QrCode are blurred. Blurring is not secure, or at least the applied version.

I’ve just started using Anytype and something that struck me when I was in the presentation is that the presenter ( @endac ) showed his screen with the QrCode and passphrase blurred. So I immediately knew it was compromised the second I saw it. I tried on my account instead to avoid leaking other people’s data. But I’d advise the presenter to reset that passphrase or stop showing it as a screenshot is quickly done. Anyway, QrCode is highly redundant and makes “unblurring” really easy. After 2-3 pass in a GAN to “deblur” the screenshot I was able to decode the passphrase of my QrCode and verified with my phone that both passphrase matches between the unblurred one and the original.

To Reproduce

Steps to reproduce the behavior:

    1. Go to Setting
    1. Screenshot the QrCode or take a picture of it via a phone (e.g, a bystander)
    1. Use any good GAN to restore some information in the QrCode. It worked after two passes for me.
    1. Reveal the passphrase and link the rogue device to the account.

Expected behavior

QrCode should be completely hidden instead of blurred

System Information:

  • OS: any desktop
  • Anytype Version: e.g. 0.20.9

Additional context

Can prove it if given a QrCode generated by anytype with the current settings. But I would avoid posting mine or the presenter’s one.



Kind ping, can a dev ack that it’s tracked somewhere?

I would like to voice my support for this proposal! +1 :heart:

@nelatmani hey! All the posts here are tracked and prioritised in our backlogs.
Thank you for your proposal, we will change this behaviour

1 Like

The recovery phrase and the qr code are now blurred with placeholders.

This topic was automatically closed after 12 days. New replies are no longer allowed.