Vulnerability in the Ledger Bitcoin App Discovered

[Pmalek]

A vulnerability been has discovered and rectified in the Bitcoin app on the Ledger Live hardware wallets. It affects Bitcoin as well as all forks of it. This exploit can't result in the accounts being emptied out but it allows a hacker to increase the transaction fees "without confirmation on the device".

This applies only to transactions containing at least one SegWit input. The subject would also have to use a fake Ledger software/wallet and be tricked into signing a transaction twice.  

Ledger is saying that they don't have any records that this vulnerability has been exploited in the past.
A fix has already been released and Ledger Live users are suggested to update their software to version 2.4.1 and update their installed apps on their Ledger hardware wallets.

More info available here
https://support.ledger.com/hc/en-us/articles/360014191540-Massive-transaction-fees-in-BTC-and-BTC-based-apps
https://donjon.ledger.com/lsb/010/

[Rath_]

Just for the record, this vulnerability is not specific to Ledger devices. This has been also fixed in the recent Trezor software update. Other hardware wallets might be affected as well.

[bob123]

The same vulnerability has been fixed by trezor.
This has something to do with segwit and other wallets are most likely affected too.

Trezor post: https://blog.trezor.io/latest-firmware-updates-correct-possible-segwit-transaction-vulnerability-266df0d2860

[Pmalek]

Yes, they mentioned that other wallets are affected as well, its not a problem that is exclusive to Ledger. And apparently it is an issue that is known and has been brought up several years ago.

[hugeblack]

I don’t know how this can be considered a Vulnerability, as it requires downloading any other wallet application or a fake Ledger Live to succeed. It also requires the user not to pay attention or not to cancel the transaction completely when he gets an error?

The strange thing is, why did the firmware update take about 90 days? I thought it was similar to what happened with Electrum, just upgrading to prevent popup notifications would suffice.
Edit:

Unfortunately, some third-party tools do not allow hardware wallets to obtain the previous transaction in case of SegWit inputs, which is why Trezor will not be able to sign transactions using these tools until they are updated to work correctly. Due to the responsible disclosure process, we were not able to inform the maintainers beforehand.
Web-based applications

It seems that the problem with third-party tools & obtain the previous transaction.

[joniboini]

UPD: got 2.2.3 2.3.2 (after updated 1.2.0) working but no further progress.

Do you still have this problem? What's the log said about it? If it crash then there should be something on Event Viewer.

I'd rather wait for the new version Electrum instead of using Ledger Live if I ever update my firmware btw.

[Lucius]

The strange thing is, why did the firmware update take about 90 days? I thought it was similar to what happened with Electrum, just upgrading to prevent popup notifications would suffice.

What kind of firmware update are you talking about? This is exclusively about software upgrades, more precisely Ledger Live and their BTC app. If you refer to Electrum phishing from 2018, then you pretty much mixed things up. This is something much more innocuous, and it's actually related to SegWit, not some vulnerability that has anything to do with Ledger or Trezor.

If someone could similarly manipulate the servers used by Ledger and Trezor, it would do enormous damage to those who would not be careful enough.