Severity: low

Insecure Credential Storage



All versions of web3 are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a Cross-Site Scripting vulnerability to access the private key.


No fix is currently available. Consider using an alternative module until a fix is made available.

Have content suggestions? Visit

Advisory timeline

  1. published

    Advisory Published
    May 14th, 2019
  2. reported

    Reported by sshelton76
    May 6th, 2019