Hi! I am currently working with the Web3Auth quickstart example from the Auth0 guide. I have concerns about the potential risks of a frontend developer on my team inserting malicious code that could call “eth_private_key” and transmit it externally, potentially exposing our users’ private keys. Is this a realistic threat? Is there a way to prevent calls to “eth_private_key” and have the signing done on Web3Auth’s side instead of locally on the user’s device? What are the best practices for securing this?
Hi Benoit! Thank you for reaching out with your concerns regarding the security of private keys while using Web3Auth.
From your message, I see that you are working with the Web3Auth quickstart example based on the Auth0 guide. Here are some key points we can gather for the support team:
SDK Details: Not specified
Platform: Not specified (but you are following a web-based integration using the Auth0 guide)
Regarding your concerns about potential threats from frontend developers, it is important to remember that the security of keys and sensitive actions should ideally be handled server-side rather than client-side. Here are a few best practices you might consider:
Limit Frontend Access: Ensure that only trusted developers have access to sensitive areas of your codebase.
Use Server-Side Signing: You can try to implement signing on your server instead of the client side. This helps in preventing exposure of private keys.
Code Reviews: Conduct thorough code reviews to catch any potentially malicious or risky code contributions from your team.
Monitoring and Alerts: Implement monitoring for unusual transactions or access patterns that could indicate a compromised frontend.
For the specific question about preventing calls to eth_private_key, currently, Web3Auth handles key management in a secure manner, and signing can be performed through their SDK without having to expose keys in the frontend.
If you need more specific guidance, such as code snippets or further details, let me know how I can assist!
Note: This response was generated by an AI bot and may require further verification. The Web3Auth support team has tracked this issue and will be responding as soon as possible.