|
Title: Copay version from 5.0.2 to 5.1.0 [Please do not open the app] Post by: hugeblack on November 27, 2018, 11:06:24 AM Based on some of the reports in #9346 "`event-stream` dependency attack steals wallets from users of copay (https://github.com/bitpay/copay/issues/9346)", some packages have been modified to load malicious code that can capture users' private keys. Therefore, anyone who uses the previous versions "from 5.0.2 to 5.1.0" of these wallets should not open or run any of them, nor should be recovered using 12-backup phrases of those wallets. Our team is continuing to investigate this issue and the extent of the vulnerability. In the meantime, if you are using any Copay version from 5.0.2 to 5.1.0, you should not run or open the app. A security update version (5.2.0) has been released and will be available for all Copay and BitPay wallet users in the app stores momentarily. Users should assume that private keys on affected wallets may have been compromised, so they should move funds to new wallets (v5.2.0) immediately. Users should not attempt to move funds to new wallets by importing affected wallets' twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds. Title: Re: Copay version from 5.0.2 to 5.1.0 [Please do not open the app] Post by: bL4nkcode on November 27, 2018, 11:33:29 AM Its being said that even all the million NPM module users are affected as well not only copay
https://twitter.com/ummjackson/status/1067131569612058624 Title: Re: Copay version from 5.0.2 to 5.1.0 [Please do not open the app] Post by: LeGaulois on November 27, 2018, 02:54:44 PM You have to admit, handing the module maintenance to a foreign guy you have never heard of and who just emailed you, is totally ridiculous. :D
Does it mean so, any crypto wallet that makes use of Javascript is potentially vulnerable or already infected? I can already smell the waves of articles about this. Like if we needed more bad news these days... ::) Title: Re: Copay version from 5.0.2 to 5.1.0 [Please do not open the app] Post by: TryNinja on November 27, 2018, 04:45:20 PM You have to admit, handing the module maintenance to a foreign guy you have never heard of and who just emailed you, is totally ridiculous. :D Any crypto wallet pulling random NPM modules for their projects.Does it mean so, any crypto wallet that makes use of Javascript is potentially vulnerable or already infected? I can already smell the waves of articles about this. Like if we needed more bad news these days... ::) Check my post in the other thread: I don't use Copay, but this is worrying. Mostly because of this part: Quote This is one of the major issues with JavaScript-based cryptocurrency wallets with heavy up-stream dependencies coming from NPM. @BitPay essentially trusted all the up-stream developers to never inject malicious code into their wallet.@dominictarr also let the attacker in, sadly From: https://twitter.com/ummjackson/status/1067132600739721216Quote You do know how many products and services do this? This is a much bigger issue than just BitPay. From: https://twitter.com/brianchoffman/status/1067141337772888070I already knew how dangerous can be running tons of third-party NPM packages because of this super interesting article I read a few months ago: I’m harvesting credit card numbers and passwords from your site. Here’s how. (https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5) |