BSV
$51.98
Vol 42.25m
1.35%
BTC
$75638
Vol 57776.11m
-0.12%
BCH
$380.64
Vol 382.77m
1.06%
LTC
$71.54
Vol 471.48m
1.04%
DOGE
$0.19
Vol 5178.21m
-3.03%
Getting your Trinity Audio player ready...

A major vulnerability in Ledger’s software has been publicly disclosed by Liquality developer Mohammed Nokhbeh. According to Nokhbeh, there is a vulnerability in Ledger’s software that takes BTC out of a user’s wallet when they trying to make a transaction with any of the Bitcoin hard forks.

“It was discovered that for BTC and Bitcoin forks, the device exposes its functions for any of the assets,” said Nokhbeh. “In other words, having unlocked the Litecoin app, you will receive a confirmation request for a BTC transfer while the interface presents it as a transfer of Litecoins to a Litecoin address. Accepting the confirmation produces a fully valid signed BTC (mainnet) transaction.”

The public disclosure comes less than a week after it was discovered that Ledger had been the victim of a breach in which 1 million customer email addresses as well as the first and last name, postal address, phone number, and ordered products of 9,500 customers was compromised.

Ledger knew about the vulnerability

Nokhbeh said Ledger knew about this vulnerability for more than a year but declined to fix it. Nokhbeh first made Ledger aware of the issue in January 2019 when he submitted a detailed report of the attack vector to Ledger’s bounty program. However, Nokhbeh says he quickly learned “that they [Ledger] weren’t motivated to see this issue to completion.” After going back and forth with the company for over a year, often following up with Ledger only for them not to respond, the 90 day disclosure period finally came to an end, and Nokhbeh publicly disclosed the vulnerability on his own website.

What will Ledger do?

Shortly after Nokhbeh published his public disclosure, Ledger quickly updated their software to eliminate the attack vector. In addition, Ledger made an announcement on their site acknowledging the software update, and made a weak attempt to explain why it took them so long to update their software, saying that:

“The reporter (Nokhbeh) sent Twitter DM messages that were missed by most of the security engineers. Indeed, the [email protected] email address is the only way to reach the whole security team.”

Recommended for you

‘Crypto’ rejoices as Trump’s win expected to turf guardrails
Following Trump's re-election, the BTC token posted a new all-time high of just over$75,350, eclipsing its previous record of $73,800...
November 7, 2024
Alibaba lays off dozens from metaverse department: report
Alibaba joins fellow Chinese tech giant Baidu in scaling down its interest in the metaverse, with AI replacing the hype...
November 7, 2024
Advertisement
Advertisement
Advertisement