Магазин сайтов Top-Bit
Магазин сайтов Top-Bit
Магазин сайтов Top-Bit
Магазин сайтов Top-Bit

Bitcoin Wallet Vulnerability Discovered

Магазин сайтов Top-Bit

A module called event-stream, used in millions of web applications but notably in BitPay’s open-source Bitcoin wallet Copay has reportedly been compromised, potentially leaving some other wallets vulnerable as well.

BitPay published an advisory saying Copay versions 5.0.2 through 5.1.0 were affected by the malicious code and that users with these versions installed should avoid running or opening the app until they install Copay version 5.2.0.

“Our team is continuing to investigate this issue and the extent of the vulnerability,” the official announcement reads. “Currently, we have only confirmed that the malicious code was deployed on versions 5.0.2 through 5.1.0 of our Copay and BitPay apps. However, the BitPay app was not vulnerable to the malicious code. We are still investigating whether this code vulnerability was ever exploited against Copay users.”

Copay, the affected wallet, has more than 100,000 downloads of Android, while the number of users from other platforms like iOS or Windows is unknown.

Any other wallets using this module might be affected as well, although as of the time of writing, none of them have come forward.

The problem stems from a GitHub user volunteering to take over the library in question, inject malware and patch it up to avoid detection.

The user, known only as “right9ctrl,” took over maintenance of the module from its original creator, developer Dominic Tarr, who said that he had not maintained the repository in years. In short, the developer updated the module with malware and then hid it from view, but the numerous people who had already installed it remain affected. Well known developer Jameson Lopp explained:

The npm "event-stream" repository has been compromised; if you are using it in a project along with "copay-dash" then the malware will steal any private keys it can find. https://t.co/fAnH6ik1n9

Магазин сайтов Top-Bit

— Jameson Lopp (@lopp) November 26, 2018

Jackson Palmer, an Australian entrepreneur and technologist best known for creating the infamously successful "joke" cryptocurrency Dogecoin, added:

This is one of the major issues with JavaScript-based cryptocurrency wallets with heavy up-stream dependencies coming from NPM. @BitPay essentially trusted all the up-stream developers to never inject malicious code into their wallet.@dominictarr also let the attacker in, sadly

— Jackson Palmer (@ummjackson) November 26, 2018

Event-stream is downloaded roughly two million times a week by application programmers for many different uses. The version with the malware in it, Event-Stream v 3.3.6, was published on September 9 via Node Package Manager (NPM) repository, and had since been downloaded by nearly 8 million application programmers.

The malicious code supposedly attempted to steal digital coins stored in the Dash Copay Bitcoin wallets – distributed through the NPM – and transfer them to a server located in Kuala Lumpur. Officials from NPM removed the backdoor from NPM’s listing on Monday this week.

Source: cryptonews.com

Магазин сайтов Top-Bit
You might also like
Магазин сайтов Top-Bit

Leave A Reply

Your email address will not be published.