Title: Ledger App Isolation Bypass Vulnerabilities Post by: cryptomaniac_xxx on August 06, 2020, 10:26:16 AM I found this this post, https://monokh.com/posts/ledger-app-isolation-bypass.
It's about a supposedly vulnerabilities on Ledger, Quote The ledger device exposes bitcoin (mainnet) public key and signing functionality outside of the "Bitcoin" app. It presents misleading transaction confirmation requests indicating the selected app's addresses and amounts when in fact different transactions are being signed. I'm not an expert or anything, but it looks like Ledger hasn't address this issues so far or it is being address right now, it looks like it's taking months for them. On that expose, you see the Disclosure Timeline. Quote Disclosure Timeline 18 Jan 2019 - Privacy related aspect of the vulnerability (reading addresses) disclosed to Ledger via report and PoC. (bounty@ledger.fr) Ledger: Firmware was updated but apps still need to be updated. Prompted for public disclosure: Bug will be disclosed once apps are updated. 30 Apr 2019 - Disclosed issue unfixed - Ledger contacted for update. No response. (bounty@ledger.fr) 1 May 2020 - Discovered root cause expands to signing functions and can be exploited to steal funds (bounty@ledger.fr) 2 May 2020 - New report detailing bypassing the isolation for signing disclosed to Ledger with new report and PoC (bounty@ledger.fr) 4 May 2020 - Ledger investigating. (bounty@ledger.fr) 10 May 2020 - No response. Follow up. (bounty@ledger.fr) 12 May 2020 - Issue acknowledged - mistakenly at first as only privacy related - set out disclosure timeline (bounty@ledger.fr) 13-14 May 2020 - Exchanges with ledger clarifying severity and awareness (bounty@ledger.fr) 17 June 2020 - Request for update (bounty@ledger.fr) - No response 28 July 2020 - Request for update sent to Ledger Donjon (Twitter DM) - No response 03 Aug 2020 - Vulnerability not fixed or disclosed by Ledger. Public disclosure Title: Re: Ledger App Isolation Bypass Vulnerabilities Post by: chronicsky on August 06, 2020, 11:43:36 AM https://donjon.ledger.com/lsb/014/
One should be very careful when using Hardware wallets(or any for that matter). do not connect to just any 3rd party application and try to keep your ledger with BTC seperate from shitcoins. Code: Date Action So much miscommunication. Title: Re: Ledger App Isolation Bypass Vulnerabilities Post by: TryNinja on August 06, 2020, 11:49:21 AM An update with the fix (kinda) is already available on the Ledger Live: https://twitter.com/ledger/status/1291061084435238912
There is now a warning that should make users aware of a potential issue with that. Here is their FAQ: https://support.ledger.com/hc/en-us/articles/360015738179 Title: Re: Ledger App Isolation Bypass Vulnerabilities Post by: bitmover on August 06, 2020, 04:23:01 PM do not connect to just any 3rd party application and try to keep your ledger with BTC seperate from shitcoins. I was thinking about how this vulnerability could be exploited, and that's exactly the case If you connect your ledge in a third party malicous software, they could steal your btc. That's kind of serious vulnerability, sadly ledger didn't handle it well.. Title: Re: Ledger App Isolation Bypass Vulnerabilities Post by: hatshepsut93 on August 06, 2020, 07:02:38 PM First the data breach, now the disclosure of this vulnerability, that seems to have been there for more than a year. Some people would say that Ledger is a bad company, but I think other hardware wallet companies aren't immune from such issues, and in the long run they too will have their share of security failures. What we should learn from this is that there's no simple solutions that can allow users to bypass deeper learning of Bitcoin and security. Bitcoin's decentralized nature makes it have much higher security requirements than its centralized competitors.
Title: Re: Ledger App Isolation Bypass Vulnerabilities Post by: Baofeng on August 06, 2020, 07:04:23 PM do not connect to just any 3rd party application and try to keep your ledger with BTC seperate from shitcoins. I was thinking about how this vulnerability could be exploited, and that's exactly the case If you connect your ledge in a third party malicous software, they could steal your btc. That's kind of serious vulnerability, sadly ledger didn't handle it well.. This one, we really don't know if they ignore monokh or just totally forgot about it. And know if is out in the crypto social media and it seems too late again reacting. Making them look very bad again. |