[2018-11-27] Breaking: Numerous Bitcoin Wallets May Have Been Compromised by Rog

[Lmaooo]

Breaking: Numerous Bitcoin Wallets May Have Been Compromised by Rogue Developer

A Node.js module called event-stream is used in millions of web applications, including BitPay’s open-source bitcoin wallet — Copay — and this module was reportedly compromised thanks to what can objectively referred to as social engineering, laziness, and incompetence.

A user with very little coding activity on GitHub requested publishing rights to the event-stream library from its previous maintainer, Dominic Tarr, who said that he had not maintained the repository in years and gave control to the new user, called right9ctrl.

The library event-stream is used in many Node.js applications. According to a complainant on GitHub, the new maintainer right9ctrl either pulled a sneaky move to inject malware or unknowingly had the same effect as if he had, that effect being that it would leak private keys from applications that relied on both the event-stream and copay-dash modules.

CCN | https://www.ccn.com/breaking-numerous-bitcoin-wallets-may-have-been-compromised-by-rogue-developer/

[1714922190]

1714922190

[1714922190]

1714922190

[1714922190]

1714922190

[1714922190]

1714922190

[1714922190]

1714922190

[bbc.reporter]

Why would Dominic Tarr give publishing rights to someone he does not know? I reckon there might be more to this story. Did anyone question the possibility that right9ctrl is really Dominic?

[Carlton Banks]

Bitpay: another nail in the coffin of their incompetence

[hatshepsut93]

Javascript's ecosystem has really poor security, people are using modules without even thinking to audit them or checking the devs behinds them. Popular packages depend on dozens or even hundreds of other packages, so attack surface can be huge. Developers need to take this issue very seriously, and users should avoid using middlemen like BitPay and online wallets because of these risks.

[milewilda]

Why would Dominic Tarr give publishing rights to someone he does not know? I reckon there might be more to this story. Did anyone question the possibility that right9ctrl is really Dominic?

Also a question on my mind too which rights do easily being passed out to someone.I'll search up between the relation or the full story of this one because its impossible on such
arrangement without any connections among the two.Talking about right9ctrl is Dominic then its possible.

[leea-1334]

I hope this is a stupid question but this has nothing to do with Electrum wallet or Bitcoin Core right? I do not think I recognize any of those names but you know, just in case. I remember seeing the forum warning when there was the Electrum vulnerability a few months ago so just want to make sure my client is safe.

Any merchants using Bitpay affected?

[Theb]

Good thing that BitPay already confirmed the issues as well as provided the necessary steps on transferring funds of the users who are affected. This was their latest blog post regarding the issue.

Users should assume that private keys on affected wallets may have been compromised, so they should move funds to new wallets (v5.2.0) immediately. Users should not attempt to move funds to new wallets by importing affected wallets' twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.

So to any members here who have Copay wallets you should follow BitPay's instructions in order to avoid any chances of losing your funds. So far I haven't seen any reports of stolen cryptocurrencies but I think Copay users should act immediately before this thing goes south.

[cr1776]

I hope this is a stupid question but this has nothing to do with Electrum wallet or Bitcoin Core right? I do not think I recognize any of those names but you know, just in case. I remember seeing the forum warning when there was the Electrum vulnerability a few months ago so just want to make sure my client is safe.

Any merchants using Bitpay affected?

Bitcoin Core doesn't use node.js since it is not written in Javascript.

Electrum is written using primarily Python, (https://github.com/spesmilo/electrum ), so shouldn't be impacted either.

As far as merchants using Bitpay, who knows.

[bbc.reporter]

Bitpay: another nail in the coffin of their incompetence

Isn't only Copay affected and not the Bitpay processor?

In any case, this news should be bigger than it is, I reckon. Also, the users should be informed that there are other bitcoin processors available for them to be safe, like Globee and Btcpay.

[figmentofmyass]

Bitpay: another nail in the coffin of their incompetence

Isn't only Copay affected and not the Bitpay processor?

the copay wallet was created by bitpay, and they maintain it. so this compromise certainly reflects poorly on them.

i imagine you're right, they're not running their business on top of copay. i haven't seen any news suggesting bitpay was hacked or anything.

[jeromix]

It was proven already year after year that the bitcoin could not be easily cracked down. But, for the bitcoin wallets as stated by OP could be. However, wallets that will be vulnerable for this are those online wallets or the exchange wallets. There is no way that they could breach the hardware wallet that is being stored in the PC or smartphone for it is an offline wallet.