Don't send secret to active peers

[materkel]

Expected behaviour

I expect to only send out signed transactions, so my passphrase never leaves my computer.

Actual behaviour

Secrets are currently sent out for all transactions, this is a major security concern.

Steps to reproduce

All transactional requests found in utils/api use "requestToActivePeer" (utils/api/peers.js), which uses the plaintext passphrase/secret in the "sendRequest" method of the lisk-js API utility.

This following transactions are affected:

• setSecondPassphrase - (utils/api/account.js)
• send - (utils/api/account.js)
• vote - (utils/api/delegate.js)
• registerDelegate - (utils/api/delegate.js)

[ghost]

I'm not from LiskHQ, but around 2 weeks ago i did ported entire lisk-js to php. All transactions are signed locally thus only signed transaction is broadcasted. Private key and passphrase are only used locally and as far i know Nano is using lisk-js.

[Isabello]

Lisk-JS does not send out secrets. What you are seeing is lisk-nano passing secrets to the module internally, which resolve into promises that post full signed objects via the peers api layer.

[materkel]

Ok, I was getting a bit too far ahead, this is an issue with the current development (and tagged for 1.0.0) version of Lisk-JS
Since Lisk-Nano is using Version 0.4.5, this issue is not relevant for now.