So was talking about this while burgers & beers earlier.
The fix they sent him barely works and causes errors and when it does work it's still not right. But as he put it "was more of a proof of concept then finished coding"
However, they are working on it so I'll give them that.
And yes it's a What's App burgers and beers meeting since he is several time zones away....
-Dave
Interesting; so the bug / exploit you guys found is going to be fixed by the manufacturer now?
I was under the impression that due to its nature it was not vendor-specific to just one brand and that it was going to be hard to fix.
The attack I imagined from your rough description, wouldn't be easy to fix outside the OS level.
The editing of the webpage with an address in a fixed known position is not going to be a fixable, that just is what it is.
The other thing that can be fixed that I have been evasive about discussing is more along the lines of changing the way the apps on the computer talk to the device.
Without getting to into it because:
1) I promised not to
and
2) I don't understand it fully...
The desktop app says to the hw wallet lets send funds to this address 1234 the cable sends to the device lets send funds to 5678 at that point the user should stop. But the issue is a lot of people get complacent and don't check.
The other issue is at certain times and certain conditions he can FORCE 1234 to be displayed on the device. Don't ask how I got as far as "you plug in the cable and then......it's all gibberish" I am not ashamed to admit it's over my head. I can fake PHP work, really know linux and like to think I am fairly good at routing. And in general tend to be the go-to person for dealing with many system issues.
But this, nope, I get the basic concept of how it works. But don't get it past there.
-Dave
