What's the point of `eth_private_key` is allowed to be called easily?

Please provide the following details too when asking for help in this category:

  • SDK Version: 7.0.4
  • Platform: Web

Please provide the Web3Auth initialization and login code snippet below:

      const web3auth = await getWeb3Auth();
      await web3auth.init();
     
      const privateKey = (await web3auth.provider.request({
        method: 'eth_private_key',
      })) as string;
      console.log({ privateKey });

For example, a scammer can create a web app, and then trick users into depositing their money to the compromised accounts.

Is there anything we can do to prevent the use of it or make consent for suspicious configurations?

@michael1 Welcome Aboard!

Your feedback has been forwarded to our team and we will get back with further updates.

any news? @vjgee this is critical

Hey @michael1

This is a feature for the dApp to implement. As the Web3Auth keys are app scoped, ie. change wrt each app. Also private key provider is only available in the app frontend.

So even if a scammer tries to implement an app using Web3Auth, they can only get private key specific to their app, in which, until the user adds funds there’s no benefit of private key export. If the user adds funds, they trust the app.

@yashovardhan thanks for your response.

Btw, I changed to MPC Wallet implementation, since there is no possibility of requesting a private key by the developers, it is good to go.

One question is if user wants to export their private key using MPC Wallet, how to do it?

Hello @michael1
you can use this function.

Also, here’s more detail information about unsafe exportTssKey, previously other guy asked similar question before, so that you can refer.