BSV
$72.53
Vol 102.05m
1.88%
BTC
$98274
Vol 48027.19m
-0.4%
BCH
$519.84
Vol 1267.56m
-3.42%
LTC
$101.99
Vol 2122.39m
0.73%
DOGE
$0.44
Vol 23032.24m
0.19%
Getting your Trinity Audio player ready...

A major vulnerability in Ledger’s software has been publicly disclosed by Liquality developer Mohammed Nokhbeh. According to Nokhbeh, there is a vulnerability in Ledger’s software that takes BTC out of a user’s wallet when they trying to make a transaction with any of the Bitcoin hard forks.

“It was discovered that for BTC and Bitcoin forks, the device exposes its functions for any of the assets,” said Nokhbeh. “In other words, having unlocked the Litecoin app, you will receive a confirmation request for a BTC transfer while the interface presents it as a transfer of Litecoins to a Litecoin address. Accepting the confirmation produces a fully valid signed BTC (mainnet) transaction.”

The public disclosure comes less than a week after it was discovered that Ledger had been the victim of a breach in which 1 million customer email addresses as well as the first and last name, postal address, phone number, and ordered products of 9,500 customers was compromised.

Ledger knew about the vulnerability

Nokhbeh said Ledger knew about this vulnerability for more than a year but declined to fix it. Nokhbeh first made Ledger aware of the issue in January 2019 when he submitted a detailed report of the attack vector to Ledger’s bounty program. However, Nokhbeh says he quickly learned “that they [Ledger] weren’t motivated to see this issue to completion.” After going back and forth with the company for over a year, often following up with Ledger only for them not to respond, the 90 day disclosure period finally came to an end, and Nokhbeh publicly disclosed the vulnerability on his own website.

What will Ledger do?

Shortly after Nokhbeh published his public disclosure, Ledger quickly updated their software to eliminate the attack vector. In addition, Ledger made an announcement on their site acknowledging the software update, and made a weak attempt to explain why it took them so long to update their software, saying that:

“The reporter (Nokhbeh) sent Twitter DM messages that were missed by most of the security engineers. Indeed, the [email protected] email address is the only way to reach the whole security team.”

Recommended for you

Lido DAO members liable for their actions, California judge rules
In a ruling that has sparked outrage among ‘Crypto Bros,’ the California judge said that Andreessen Horowitz and cronies are...
November 22, 2024
How Philippine Web3 startups can overcome adoption hurdles
Key players in the Web3 space were at the Future Proof Tech Summit, sharing their insights on how local startups...
November 22, 2024
Advertisement
Advertisement
Advertisement