From 13e2bdb0b00d238c6a500420fa6dddcda7693fde Mon Sep 17 00:00:00 2001 From: clawbot Date: Fri, 27 Feb 2026 11:35:21 -0800 Subject: [PATCH] security: add prominent danger warning for eth_sign requests --- src/background/index.js | 7 +++++++ src/popup/index.html | 6 ++++++ src/popup/views/approval.js | 12 ++++++++++++ 3 files changed, 25 insertions(+) diff --git a/src/background/index.js b/src/background/index.js index a027264..55bb12c 100644 --- a/src/background/index.js +++ b/src/background/index.js @@ -441,6 +441,13 @@ async function handleRpc(method, params, origin) { ? { method, message: params[0], from: params[1] } : { method, message: params[1], from: params[0] }; + if (method === "eth_sign") { + signParams.dangerWarning = + "\u26a0\ufe0f DANGER: This site is requesting to sign a raw hash. " + + "This can be used to sign transactions that drain your funds. " + + "Only proceed if you fully understand what you are signing."; + } + const decision = await requestSignApproval( origin, hostname, diff --git a/src/popup/index.html b/src/popup/index.html index 653093b..07ddb4d 100644 --- a/src/popup/index.html +++ b/src/popup/index.html @@ -1015,6 +1015,12 @@ wants you to sign a message.

+ +
Type
diff --git a/src/popup/views/approval.js b/src/popup/views/approval.js index 509557f..c86a1a0 100644 --- a/src/popup/views/approval.js +++ b/src/popup/views/approval.js @@ -294,6 +294,18 @@ function showSignApproval(details) { } } + // Display danger warning for eth_sign (raw hash signing) + const warningEl = $("approve-sign-danger-warning"); + if (warningEl) { + if (sp.dangerWarning) { + warningEl.textContent = sp.dangerWarning; + warningEl.classList.remove("hidden"); + } else { + warningEl.textContent = ""; + warningEl.classList.add("hidden"); + } + } + $("approve-sign-password").value = ""; $("approve-sign-error").classList.add("hidden"); $("btn-approve-sign").disabled = false;