|
Title: Copay and other wallets potentially compromised with dodgy node.js module Post by: gentlemand on November 26, 2018, 08:52:22 PM https://www.ccn.com/breaking-numerous-bitcoin-wallets-may-have-been-compromised-by-rogue-developer/
https://github.com/bitpay/copay/issues/9346 Not so wonderful for users and revealed at a deeply unsexy time for the wellbeing of the crypto market. I use Copay for the various Bcashes only myself so I won't exactly be devastated if it does a runner. Still, keep an eye out for fixes or tips if you're exposed to this. Title: Re: Copay and other wallets potentially compromised with dodgy node.js module Post by: TryNinja on November 26, 2018, 10:15:19 PM I don't use Copay, but this is worrying. Mostly because of this part:
Quote This is one of the major issues with JavaScript-based cryptocurrency wallets with heavy up-stream dependencies coming from NPM. @BitPay essentially trusted all the up-stream developers to never inject malicious code into their wallet.@dominictarr also let the attacker in, sadly From: https://twitter.com/ummjackson/status/1067132600739721216Quote You do know how many products and services do this? This is a much bigger issue than just BitPay. From: https://twitter.com/brianchoffman/status/1067141337772888070I already knew how dangerous can be running tons of third-party NPM packages because of this super interesting article I read a few months ago: I’m harvesting credit card numbers and passwords from your site. Here’s how. (https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5) Title: Re: Copay and other wallets potentially compromised with dodgy node.js module Post by: HI-TEC99 on November 27, 2018, 05:27:27 AM Quote from: TryNinja link=topic=5076197.msg48254387#msg48254387 Quote You do know how many products and services do this? This is a much bigger issue than just BitPay. Is there a list of all wallets affected by this yet? Title: Re: Copay and other wallets potentially compromised with dodgy node.js module Post by: o_e_l_e_o on November 27, 2018, 12:20:01 PM https://github.com/bitpay/copay/issues/9346#issuecomment-441827353
https://blog.bitpay.com/npm-package-vulnerability-copay/ Quote Users should assume that private keys on affected wallets may have been compromised, so they should move funds to new wallets (v5.2.0) immediately. So Copay wallets from 5.0.2 through to 5.1.0 are vulnerable. BitPay apps are not vulnerable, apparently. If you are running one of these version of the Copay app, you should not open the app. Advice is instead to update to 5.2.0, and then use "Send Max" to transfer all your funds to a new wallet. You should not restore your wallet from your mnemonic seed, as that seed is linked to potentially compromised private keys. It is currently unclear whether this affects other wallets forked from Copay (such a Copay Dash), or any other wallets in general. Title: Re: Copay and other wallets potentially compromised with dodgy node.js module Post by: HeRetiK on November 28, 2018, 05:21:47 PM Holy shit so that was the mystery payload of the event-stream backdoor! :O
Here's the GitHub discussion for anyone interested; when the backdoor was first found its intention was not yet clear: https://github.com/dominictarr/event-stream/issues/116 Despite the severity of the issue, I don't fully agree with the article's condemnation of BitPay's practices. I also don't think that event-stream's original maintainer deserves all the flak he got. However it goes to show how shaky modern JavaScript development is from a security perspective. Event-stream is an extremely popular npm package and as such is rather trusted and used in a lot of other applications. As such it could have hit any other Node.js based wallet as well. This is a problem with modern JavaScript development in general, rather than with BitPay specificially. |