could a malware intercept and change BIP21 too?

[pooya87]

recently there have been a lot of discussion about this specific kind of malware (clipboard hijacker) which is basically looking at memory (clipboard) and changes any bitcoin address that enters it to the hacker's address.
it looks to me that using BIP21 (Bitcoin URI Scheme) solves this issue very easily as nothing enters clipboard anymore, it just tells the pre-defined default application what to do (eg. http://foobar.com tells the default browser to go to foobar.com using http protocol).

my question is whether there is any way a malware could also intercept this process and change the address?

[bob123]

Once your computer is compromised, anything can be done which is not explicitly protected by cryptography.

While there is a lot of clipboard malware around, potentially this could have been more sophisticated malware compromising the whole system instead of just looking for the clipboard. So much more damage could have been done.

Once an attacker has made it onto your computer, basically everything is possible. Obviously there still is the challenge to get root / administrator privileges to actually be able to do everything.
The moment he achieved root/administrator privileges, he can change and modify any software you are using.

In this case, the answer to your question is yes. A malware could intercept and change everything. But generally speaking:
1) If he has full access to your computer, he might as well just extract your private keys / seed
2) This is easier sad than done.

Most malware you find is created by some script kiddie, who doesn't even know how to circumvent security measurements properly (e.g. AV evasion).
That's the reason they focus on easy to implement things like changing the clipboard (done with a few lines of code and doesn't require more than user privileges on the target system).


Long story short:
Yes this is possible. Just as encrypting a whole system or gaining access to a webcam is possible.
But you are more likely to encounter "dumb" malware (e.g. clipboard changing malware).
As long as you are not using the security nightmare OS (Win 7), you are relatively fine anyway.

[Theb]

recently there have been a lot of discussion about this specific kind of malware (clipboard hijacker) which is basically looking at memory (clipboard) and changes any bitcoin address that enters it to the hacker's address.
it looks to me that using BIP21 (Bitcoin URI Scheme) solves this issue very easily as nothing enters clipboard anymore, it just tells the pre-defined default application what to do (eg. http://foobar.com tells the default browser to go to foobar.com using http protocol).

The URI scheme is really not a solution here and is only a method for those who are generally transacting using direct links and scanning QR code as automatically the addresses are inputted in address field. This isn't really a solution for the clipboard/copy-paste virus and still for people still preferring to copy and paste their crypto addresses they are still technically vulnerable to viruses like this that can alter your addresses.

my question is whether there is any way a malware could also intercept this process and change the address?

Just my two cents on this one, anything in the coding world can be hack and there is no definite and secure solution that will last a life time. That's why we always see news about newer versions of Electrum being launch instantly because older versions like the 3.3.3 and 3.3.4 are now susceptible to hacks and phishing attacks, that's why are Windows operating system are getting Windows Security updates, these are just examples of how are hackers are always discovering vulnerabilities and how the services will react to it. Nothing is safe just by relying on the service/program itself you as a user should always take extra precautionary measures using your computer.

[goatpig]

1) Replace the [bitcoin:] URI scheme handler with your malware in the registry (save the current, valid handler in the process).
2) Whenever a user runs bitcoin: URI, your malware will be spawned. Replace the address in URI with yours and spawn the valid process with that.

I would say this is significantly easier to implement than a clipboard hack tbh. You do not need increased privileges to set that stuff for a user account.

[DaveF]

What goatpig said.
Makes you wonder if a variation of BIP70 would work.

Or something new:
Merchant makes a payment request -> user gets address and pays -> bitcoin app generates unsigned payment -> transmits info to merchant -> Yes / No response from merchant -> if yes sign and transmit if no big red warning.

For a piece of malware to get around that they would need to have a lot more control of your system so at that point you are kind of screwed anyway.

-Dave

[BrewMaster]

What goatpig said.
Makes you wonder if a variation of BIP70 would work.

BIP70 increases the resistance against the man-in-the-middle attacks since it requires the communication using the server's certificate which would then be authenticated from the operating system.
from what i understand it is the same as when you visit a website with SSL encryption.
the way to attack this would be to manipulate the certificate authority on the OS then intercept the communication.

[DaveF]

BIP70 increases the resistance against the man-in-the-middle attacks since it requires the communication using the server's certificate which would then be authenticated from the operating system.
from what i understand it is the same as when you visit a website with SSL encryption.
the way to attack this would be to manipulate the certificate authority on the OS then intercept the communication.

Which is kind of my point. If the attacker can get that kind of access to your system. They already have all your BTC as soon as you put in the password to your wallet.
A clipboard changer may or may not be sophisticated enough to be able to phone home and do other things. It might even be limited to just hijacking browser text.
If you are subverting SSLs then you can already install your own executable unsigned apps and updates.

Stay safe.

-Dave

[goatpig]

The issue with this kind of strategies is that you are identifying the vendor for each and every payment, so you end up cutting costs on sanity/security checks to improve the UX. Security always comes at a cost in convenience.

IMO the solution is to impose one costly verification and streamline from there:

- Step #1, identification: check WoT sigs on the vendor's widely known, easy to find secp256k1 public key.
- Step #2, payment: On each payment, ECDH the vendor's public key with a salt of your own, pass that salt to the vendor and broadcast the payment.

This requires additional logistics (delivering the salt, tying it to the purchase) which makes it a perfect service to offer by payment processors.