Authorization Bypass in Starknet Snap via enableAuthorize parameter leads to unauthorized transaction signing

## Summary: The Starknet Snap by Consensys contains a critical security vulnerability that allows malicious websites to bypass user authorization when signing messages or transactions. The vulnerability exists in the `enableAuthorize` parameter which can be controlled by any website. When set to `false`, the confirmation dialog is not shown to the user, allowing a malicious website to sign arbitrary messages or transactions without user approval, potentially leading to asset theft. ## Steps To Reproduce: 1. Make sure MetaMask is installed 2. Visit https://snaps.consensys.io/starknet 3. Click "Connect with MetaMask" button to install the StarkNet Snap 4. Download the html file: "exp-starknet.html" and host it on local port 5555 5. Visit http://localhost:5555/exp-starknet.html 6. Click "start PoC" button 7. Accept the connection request 8. Observe that the signMessage is shown in the page without user approval ## Supporting Material/References: The vulnerability exists in the following code: https://github.com/Consensys/starknet-snap/blob/main/packages/starknet-snap/src/rpcs/sign-message.ts#L77 ```js protected async handleRequest( params: SignMessageParams, ): Promise<SignMessageResponse> { const { enableAuthorize, typedDataMessage, address } = params; if ( // Get Starknet expected not to show the confirm dialog, therefore, `enableAuthorize` will set to false to bypass the confirmation // TODO: enableAuthorize should set default to true enableAuthorize && !(await renderSignMessageUI({ address, typedDataMessage, chainId: this.network.chainId, })) ) { throw new UserRejectedOpError() as unknown as Error; } return await signMessageUtil( this.account.privateKey, typedDataMessage, address, ); } } ``` * exp-starknet.html - an example exploit Attachments: [{"filename":"exp-starknet.html","created_at":"2026-01-12T02:13:56.722Z","hai_attachment_description":null}]