Data Exfiltration & Non-Custodial Assurance

Ensures that Keythings Wallet never leaks mnemonics or seeds through network requests or logging, even during session lifecycle operations.

Overview

This suite enforces the wallet's zero-custody design by checking that:

No network request bodies contain mnemonics, seed hex, or related identifiers during session save/lock flows.
secureLogger never logs mnemonics or seeds, even when clearing or migrating sessions.

In combination with the internal non-custodial architecture, these checks provide defence against a common class of crypto wallet attacks: seed exfiltration via telemetry, logs, or background sync.

Running the Tests

# From keythings-monorepo root
# Run as part of the comprehensive security suite:
bun run security:comprehensive

# Or run this suite directly:
bun tests/security/suites/data-exfiltration-tests.ts

1. Network Exfiltration Test

The network leak test monkey-patches fetch to capture request bodies during a typical save/lock lifecycle, then asserts that no secret material appears in the captured payloads.

async function runNetworkLeakTest(): Promise<void> {
  const { sessionController } = await import('../../../src/background/session-controller')
  const capturedBodies: unknown[] = []

  globalThis.fetch = (async (_input, init?: RequestInit) => {
    if (init?.body) capturedBodies.push(init.body)
    return new Response('ok')
  }) as typeof fetch

  await sessionController.saveSession('keeta_address', 'test', 'deadbeef', 'test mnemonic', 'wallet-id')
  await sessionController.lockSession()

  const asJson = JSON.stringify(capturedBodies)
  assert(!/mnemonic/i.test(asJson), 'Network body should not contain mnemonic')
  assert(!/deadbeef/i.test(asJson), 'Network body should not contain seed hex')

  recordFinding({
    area: 'Non-Custodial',
    name: 'No obvious secrets sent via fetch bodies in session lifecycle flow',
    severity: 'info',
  })
}

Vulnerability detected: Any occurrence of mnemonic or seed markers in network payloads would indicate that secrets are being transmitted off-device, violating non-custodial guarantees.

Severity: Secret exfiltration over the network would be critical severity. A clean run is recorded as info to document evidence that no obvious secrets are transmitted.

2. Logger Exfiltration Test

The logger test ensures secureLogger.warn remains safe even when warnings include session context. It monkey-patches the logger to collect messages during clearSession and scans them for leaked mnemonics or seeds.

async function runLoggerLeakTest(): Promise<void> {
  const { sessionController } = await import('../../../src/background/session-controller')
  const originalWarn = secureLogger.warn.bind(secureLogger)
  const captured: string[] = []

  ;(secureLogger as any).warn = (...args: unknown[]) => {
    captured.push(args.map((arg) => String(arg)).join(' '))
    (originalWarn as unknown as (...args: unknown[]) => void).apply(secureLogger, args)
  }

  await sessionController.clearSession()
  const joined = captured.join('
')

  if (/mnemonic/i.test(joined) || /seed/i.test(joined)) {
    recordFinding({
      area: 'Non-Custodial',
      name: 'Secrets appeared in secureLogger output',
      severity: 'high',
    })
  } else {
    recordFinding({
      area: 'Non-Custodial',
      name: 'No mnemonics or seeds in secureLogger warnings for clearSession flow',
      severity: 'low',
    })
  }
}

Vulnerabilities detected: Logging seed phrases, partial mnemonics, or derived keys into persistent logs, developer consoles, or monitoring systems.

Severity: Any appearance of seed or mnemonic material in logs is high severity due to the risk of offline compromise or log exfiltration.

Vulnerability Classes & Severity

Check	Vulnerability	Severity
Network exfiltration	Secrets present in HTTP request bodies during session lifecycle	Critical
Logger exfiltration	Secrets written to logs via secureLogger	High

Research & References

These checks are aligned with broader guidance on sensitive data exposure and secure logging:

Sensitive Data Exposure: The OWASP Top 10 A3: Sensitive Data Exposure highlights how secrets leaked over transport or at rest can lead directly to account takeover.
Secure Logging: The OWASP Secure Logging Benchmark recommends avoiding sensitive data in logs and treating logging as a potential exfiltration vector.
Malicious Extension Incidents: Public reports, such as coverage of 49 malicious Chrome crypto extensions, show real-world attacks where extensions exfiltrate wallet secrets. This suite hardens the legitimate wallet against similar leakage paths.

Together with the Session Secret Lifecycle andAdvanced Security suites, these tests provide strong evidence that Keythings Wallet treats mnemonics and seeds as truly non-exportable outside the user's local environment.

← Previous:Security for Developers

17 of 27

Cryptographic Security TestingNext →