OtterSec researchers discovered critical vulnerabilities in React Native WebView and similar mobile wallet libraries. Missing origin isolation allows malicious dApps to access camera, GPS, and other permissions without user consent, affecting over 20 production wallets across the ecosystem.
OtterSec identified three categories of WebView vulnerabilities in mobile web3 wallets: missing origin isolation for permission requests allows malicious dApps to hijack camera, GPS, and other permissions already granted to the wallet app; unprotected local network access enables attacks against home routers and IoT devices without user visibility; code injection risks via insecureJavaScriptObject handling. The researchers found 20+ major wallets vulnerable, including at least one Stellar wallet using the Justson library. MetaMask's patch approach is cited as a model, but remains imperfect due to UX and clickjacking risks.
