Ledger wallet App Isolation Bypass Alert

[Pmalek]

I find it quite worrying that their security team decided to sit on this vulnerability for several months while working on other things. Using COVID-19 as an excuse is shameful. They started testing the new Bitcoin app only when the deadline was reached. It is even worse that the fix came out just one day after the vulnerability was made public. That means that it was pretty easy for their team to fix it, they just didn't care or took their time to do it before.

As a Ledger user, this makes me think is this a company I should trust with my Bitcoin?!

[bob123]

They did release an update (to the Trezor One) to address issues related to this vulnerability: https://blog.trezor.io/firmware-updates-for-trezor-model-t-version-2-3-2-and-trezor-model-one-version-1-9-2-f4f9c0f1ed7c

Missing path isolation check

We have amended our Trezor One code to include a missing path isolation check, which is already in place for the Trezor Model T. This check prevents a user from spending coins from known paths (BIP44, BIP49, BIP84), if the coin type does not match the path. Without this check, an attacker could trick the user into signing a Bitcoin transaction while thinking they are signing a testnet or altcoin transaction.

Yes, that's the quote i have posted.
But the question was whether there was a bug bounty from trezor (just like with ledger) through which they received the information regarding this or whether they just checked their HW wallet after seeing ledgers being vulnerable to that.
And in this case i'd guess its #2 because their bug bounty page doesn't show anything related to this vulnerability.

[TryNinja]

But the question was whether there was a bug bounty from trezor (just like with ledger) through which they received the information regarding this or whether they just checked their HW wallet after seeing ledgers being vulnerable to that.
And in this case i'd guess its #2 because their bug bounty page doesn't show anything related to this vulnerability.

Considering that the guy that reported the vulnerability about Ledger didn’t even mention Trezor, I also assume #2 is correct. Trezor also only fixed the issue after the report, so he would certainly also call them out.

[bob123]

Considering that the guy that reported the vulnerability about Ledger didn’t even mention Trezor, I also assume #2 is correct. Trezor also only fixed the issue after the report, so he would certainly also call them out.

This makes sense, but i wonder why he didn't also report the vulnerability to trezor.
He might have been able to get another bounty reward.

It probably wouldn't be too much additional work to test it on a trezor.
I guess he maybe didn't have a trezor lying around