Severity Assessment

CVSS Assessment

Threat Model Alignment

Classification: hardening

No documented SECURITY.md trust boundary is crossed by the localStorage write itself; the Control UI is persisting device-auth material inside an already authenticated browser origin. openclaw/docs/gateway/security/index.md explicitly treats canvas content as arbitrary HTML/JS and warns not to make that content share the same origin as privileged web surfaces unless the implications are understood, which makes extractable persistent browser storage a concrete defense-in-depth gap rather than a standalone auth bypass. This finding is not covered by the Out of Scope section because the remediation measurably reduces reusable credential exposure, but exploitation still depends on a separate same-origin JavaScript foothold, so the correct category is hardening.

Impact

The Control UI persists both its Ed25519 device signing key and its cached operator device token in localStorage. Any same-origin JavaScript foothold in that browser origin can extract both values and reuse them to establish a fresh operator WebSocket session with operator.admin, operator.read, operator.write, operator.approvals, and operator.pairing scopes.

Affected Component

Files:

• ui/src/ui/device-identity.ts:61-114 loads and stores the browser device identity, including the raw private key, under openclaw-device-identity-v1.
• ui/src/ui/device-auth.ts:12-40 persists cached device tokens under openclaw.device.auth.v1 in localStorage.
• ui/src/ui/gateway.ts:385-443 loads the stored identity, requests operator scopes, signs the connect payload with the stored private key, and caches the returned device token after a successful hello-ok.
• src/gateway/server/ws-connection/handshake-auth-helpers.ts:180-217 accepts signatures generated from the stolen private key.
• src/gateway/server/ws-connection/auth-context.ts:62-75 and src/gateway/server/ws-connection/auth-context.ts:194-241 treat auth.token as a device-token fallback and accept a stolen cached device token when it matches the paired device and requested scopes.
• src/infra/device-pairing.ts:37-45 and src/infra/device-pairing.ts:770-817 show that device tokens are long-lived pairing records with revocation/rotation timestamps but no expiry check.
• ui/src/ui/storage.ts:153-184 and ui/src/ui/storage.ts:228-231 keep the shared gateway token in session storage only, showing that persistent browser storage for auth material is already treated as sensitive elsewhere in the UI.

// ui/src/ui/device-identity.ts
const stored: StoredIdentity = {
  version: 1,
  deviceId: identity.deviceId,
  publicKey: identity.publicKey,
  privateKey: identity.privateKey,
  createdAtMs: Date.now(),
};
storage?.setItem(STORAGE_KEY, JSON.stringify(stored));

// ui/src/ui/device-auth.ts
function writeStore(store: DeviceAuthStore) {
  getSafeLocalStorage()?.setItem(STORAGE_KEY, JSON.stringify(store));
}

Technical Reproduction

1. Open the Control UI over https:// or localhost and complete one successful device-authenticated connection.
2. In the same browser profile, read the stored values with localStorage.getItem("openclaw-device-identity-v1") and localStorage.getItem("openclaw.device.auth.v1").
3. Observe that the first entry contains deviceId, publicKey, and the raw Ed25519 privateKey, while the second entry contains the cached operator deviceToken, role, and scopes.
4. Open a fresh WebSocket connection to the Gateway endpoint and wait for the connect.challenge nonce.
5. Recreate the browser connect payload using the Control UI logic in ui/src/ui/gateway.ts:243-253: build the device-auth payload for role operator, token=<stolen device token>, and the full CONTROL_UI_OPERATOR_SCOPES, then sign it with signDevicePayload(privateKey, payload).
6. Send a connect frame with auth.token set to the stolen device token and device set to the stolen device id/public key plus the fresh signature.
7. The server accepts the signature via resolveDeviceSignaturePayloadVersion(), treats auth.token as a device-token fallback in resolveConnectAuthState(), accepts that token via verifyDeviceToken(), and returns hello-ok with operator auth state.

Demonstrated Impact

This is a reusable credential pair, not a one-shot bootstrap artifact. ui/src/ui/gateway.ts:566-597 prefers the cached device token when no explicit shared token or password is present, and buildGatewayConnectDevice() at ui/src/ui/gateway.ts:229-261 signs the fresh connect payload with the stored private key. On the server side, auth-context.ts:62-75 converts auth.token into a deviceTokenCandidate fallback, then resolveConnectAuthDecision() at auth-context.ts:194-241 accepts that token when verifyDeviceToken() passes. src/infra/device-pairing.ts:37-45 defines device tokens with createdAtMs, rotatedAtMs, revokedAtMs, and lastUsedAtMs, and verifyDeviceToken() at src/infra/device-pairing.ts:770-817 enforces equality, revocation state, and approved-scope bounds only; there is no expiry field or TTL check. Together, the extracted private key and cached device token let same-origin JavaScript reopen operator sessions until the token is revoked or rotated or the pairing is removed. The existing browser UI already avoids persistent storage for the shared gateway token by keeping it session-scoped in ui/src/ui/storage.ts:230-231, so removing device-auth material from extractable localStorage yields a concrete reduction in reusable credential exposure.

Environment

Source inspection against the current openclaw/ tree. Preconditions: a browser has completed at least one successful Control UI device-auth handshake, the device is already paired, hello-ok has cached an operator device token, and the browser profile has working localStorage access for the Gateway origin.

Remediation Advice

Keep browser device-auth material non-extractable or session-scoped. Store the device signing key as a non-extractable Web Crypto key instead of serialized localStorage data, move cached device tokens out of persistent origin storage, and align Control UI device-auth handling with the existing session-only treatment used for the shared gateway token.