I came across this news and decide to share it with you guys so people should be aware if their funds get locked by ledger and cannot be spent. You guys need to update the hardware wallet to fix it.
I do not own Ledger and I cannot 100% confirm the legitimacy of the source website but seems that the guy who found the vulnerability actually posted it on Twitter.
In brief
A vulnerability in Ledger's hardware wallets allows a request for an altcoin transaction to actually request the movement of Bitcoin.
The exploit was reportedly disclosed to Ledger back in 2019.
Ledger said it's because the firm wanted "to avoid a situation where user funds would be locked and users unable to spend their funds.”
An exploit in Ledger’s crypto hardware wallets could allow malicious actors to steal Bitcoin, according to a report published by Liquality developer Mohammed Nokhbeh on Tuesday.
The attack works by the bad actor creating a transaction that looks like an altcoin payment (a coin that isn’t Bitcoin) when it actually takes Bitcoin out of the wallet instead.
“An attacker can exploit this method to transfer Bitcoin while the user is under the impression that a transaction of another, less valuable altcoin (e.g. Litecoin, Testnet Bitcoins, Bitcoin Cash, etc.) is being executed,” wrote Nokhbeh.
This is worrying because the user thinks that they’re handing out 0.01 of an altcoin, which could be far less valuable than 0.01 Bitcoin, for instance.
"A new version of the Bitcoin app will be released today, with an update that will display a warning and prompt for confirmation when an unexpected path is used—therefore solving this issue," said a Ledger spokesperson (who later confirmed that the fix is now live).
Source >
https://decrypt.co/37651/ledger-exploit-makes-you-spend-bitcoin-instead-of-altcoinsSource, the guy who found the vulnerability >
https://monokh.com/posts/ledger-app-isolation-bypass
