BSV
$52.66
Vol 30.7m
-0.84%
BTC
$94524
Vol 46963.67m
-2.55%
BCH
$440.95
Vol 288.98m
-3.27%
LTC
$99.95
Vol 730.82m
-0.5%
DOGE
$0.31
Vol 4283.17m
-2.79%
Getting your Trinity Audio player ready...

In a recent article written as a how-to, Medium blogger Paris Cormier described a set of instructions on how to successfully infiltrate a Ledger wallet. The instructions, which followed a fully-detailed Docdroid.netdisclosure,were posted for educational purposes to prevent the hack from being replicated and protect users who may fall victim to it.

The hardware wallet company acknowledged this vulnerability in their product with a tweet claiming that the “man in the middle attack” can be mitigated by verifying the receive address on the device’s screen. This is done by clicking the “monitor button” found in the wallet’s interface.

Following a report from news.bitcoin.com last month in which a man’s life savings were stolen from a hardware wallet supplied by a reseller, the news that Ledger’s hardware wallets are vulnerable has been met with anger from cryptocurrency users. The man described in the report is Redditor u/moodyrocket, who claimed that he has “[…] not used my Ledger in a week, today I decide to check the value of my XRP, Litecoin and Dash only to discover that all of them showed up as zero and had been transferred somewhere else yesterday all around the same time at 7:30pm. I am not sure how this is possible as I have not access my Ledger in a week.”

Cormier’s guide describes Ledger wallets as “one of the many that generate new public keys for each receiving transaction.” Such transactions are done by executing JavaScript code which runs from the client-side. According to the guide, “This means that malicious code can easily replace the automatically generated receiving address with a hacker’s.”

Given how public keys are changed regularly, users may not suspect any issues that would arise from this process. Users also have no viable method to verify the validity of the receiving address, without resorting to external or third-party applications to manually verify addresses.

Here’s an illustration of the hack as posted by @LedgerHQ on Twitter:

Recommended for you

Google unveils ‘Willow’; Bernstein downplays quantum threat to Bitcoin
Google claims that Willow can eliminate common errors associated with quantum computing, while Bernstein analysts noted that Willow’s 105 qubits...
December 18, 2024
WhatsOnChain adds support for 1Sat Ordinals with new API set
WhatsOnChain now supports the 1Sat Ordinals with a set of APIs in beta testing; with this new development, developers can...
December 13, 2024
Advertisement
Advertisement
Advertisement