Website Monokh released report for new vulnerability found in wallet can lead to theft of user funds.
Anyone using Bitcoin forks (Litecoin, BCash, testnet Bitcoin etc.) could e affected with this issue.

Ledger was informed about this but it still remain unaddressed!






What is easy solution for regular users?
- Avoid using any altcoin apps in Ledger walet.

Website source:
https://monokh.com/posts/ledger-app-isolation-bypass

There's some more context in this reddit thread: https://www.reddit.com/r/ledgerwallet/comments/i3kr76/new_ledger_vulnerability/g0c2x7i/. btchip is one of Ledger's co-founders and executive. The TL;DR is that they knew about it, were working on it, but missed the deadlines because of COVID and being busy dealing with the data leak. That I could maybe accept if they had previously made a post saying "There is a vulnerability and here is what you need to do about it until we get it fixed", but to leave all their users completely in the dark is unacceptable.

Agreed.

I have read that this vulnerability was reported on May 4^[1], so monokh committed to the three-month period before the vulnerability was announced which was yesterday.

It is strange that Ledger support team did not move to fix it and they had about 3 months to repair and improve their reputation, even as the responses were worrying^[2].


I do not think that the risk includes all altcoins, but all Bitcoin Hardforks.


this is  the list of effective coins:

source ----> https://unhashed.com/bitcoin-cryptocurrency-forks-list/
Read about other altcoins ---> https://unhashed.com/bitcoin-cryptocurrency-forks-list/

[1] https://monokh.com/posts/ledger-app-isolation-bypass
[2]

My point was that if you don't use it for altcoins you can simply just buy the cheaper Nano S or the cheapest Trezor.
But you're right, I was not clear enough on that.


Of course that the wallet has to be malicious, but we already had a good share of such wallets exactly for "cashing in" various Bitcoin hard forks.

I don't use any shitcoin apps in Ledger so I am not affected so much, but I think Ledger reputation is going down with elevator speed  
Pure shit I tell you!
And Ledger gang is very quiet  

That is true.
Author or this article (who informed them about this issue) had to release his own article (monokh.com) and force them to address this issue.

Sit on the problem for 3 months, claim that they are too busy to fix it, blame COVID and the holidays, and then push a fix 24 hours after the bug is publicly revealed due to community backlash. At the moment I still prefer my Ledger devices over my Trezor devices due to the unfixable Trezor vulnerability, but this really isn't a good look for Ledger as a company.

At least it's fixed. Everyone make sure to update. And if you haven't already, think about creating properly airgapped and encrypted cold storage.

And it is more than clear why Ledger, as a company, takes such a rather frivolous stance when it comes to discoveries like this - they think that the possibility of a successful attack (although the possibility exists) is very small. And to be honest, every vulnerability found is fixed sooner or later - fact is that there is no documented case of someone being hacked for any security vulnerability, which still makes a hardware wallet one of the more secure ways to store crypto.

However, I believe that Ledger must pay more attention to security and test its devices for all possible attacks on a daily basis. Everything that has been happening lately is just the result of the company's wrong business policy - and in addition to the already mentioned Ledger Live trading options, there are also Ledger branded clothing and Ledger metal backup plates.

Personally, I have nothing against it - but security should come first, no matter how trivial it may seem from a security point of view.

I said it before, from the moment when they started to include all of the shitcoins and forks, that this will only hurt them in the long run.
They should better focus on privacy features and improving LedgerLive with adding Tor for example, and remove that stupid ads.
I don't like to see them every time I need to update.

This is what I got this time, and I had to restart several times to get it working and updating.


I hope they will learn something from this.

Agreed. I've also said before that it is ridiculous that they are focusing on adding shitcoin support when Ledger Live still doesn't allow address or UTXO control/management. I initially refused to use it over Electrum because of the UTXO control, but as time goes on and they add a ridiculous trading platform and ads (ads in a product I've already paid for, no less), as well as the horrendous privacy concerns, I'm glad I never use it and it will take some significant changes before I ever do use it.

This applies to pretty much everything to do with crypto, not just hardware wallets.

Is there any suggestion that there was a similar bug bounty submitted to Trezor, or have they just seen the Ledger one, examined their own devices, and realized they were also susceptible?

I guess only Trezor knows.
But according to https://trezor.io/security/, there hasn't been such a vulnerability reported and fixed.

So i would assume, they checked their device upon seeing the vulnerability affecting Ledger. But only a guess tho.