We have played around a bit.
CHROME and SAFARI allow the following proof of vulnerability:
- Create the .HTML & .JS files below
- Run the .HTML in the browser which you use for NanoWallet
- See the contents of the LOCALSTORAGE displayed
- (Bruteforcing the symmetric encryption is another thing)
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Show Browser LocaStorage</title>
document.getElementById("result").innerHTML = JSON.stringify(localStorage);
If you feel your login password into your Nanowallet may be too weak (bruteforce-able) - it does not help to export the private key, and re-create a new wallet via “Sign Up” in the Nanowallet.
This is because the old localstorage may already be stolen and worked on by brute-forcers.
Mitigation: Transfer your XEM to a new NEM ACCOUNT which resides in a secure wallet.
For some time, we may have to live with the fact that the browsers’ localstorage is not “secure”.
Rene - LuxTag powered by NEM
[Thanks to @musdom (Developer at LuxTag) ]