Tech 3 weeks agoJasmine Solana
Malicious code injected into BitPay’s Copay wallet steals private keys
Copay, the multisignature wallet from BitPay, described itself as a “secure, shared Bitcoin wallet.” That, apparently, hasn’t been the case for the past several months.
On Monday, BitPay warned users that its open-source wallet has been compromised by a malware that “could be used to capture users’ private keys.” According to the blockchain payments company, users “should assume that private keys on affected wallets may have been compromised”—specifically versions 5.0.2 through 5.1.0 of the Copay and BitPay apps—and they should move their funds to the 5.2.0 version of the app immediately.
The new maintainer then proceeded to release Event-Stream 3.3.6 containing Flatmap-Stream library 0.1.1, where the malicious code resides. On GitHub, Ayrton Sparling explained: “He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting ps-tree. After he adds it at almost the exact same time the injection is added to flatmap-stream, he bumps the version and publishes. Literally the second commit (3 days later) after that he removes the injection and bumps a major version so he can clear the repo of having flatmap-stream but still have everyone (millions of weekly installs) using 3.x affected.”
The malicious code only executes successfully if its’s used inside the Copay source code, stealing a user’s wallet information such as private keys, which it sends to the copayapi.host URL on port 8080. According to user Nicolas Noble, “If your overall application has both this malicious package and “copay-dash”, then it’s going to try stealing the bitcoins stored in it.”
BitPay said its BitPay app was not vulnerable to the code, noting that it’s still investigating whether the code vulnerability affected any Copay users. BitPay warned, “Users should not attempt to move funds to new wallets by importing affected wallets’ twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.”
At press time, the Event-Stream 3.3.6 version has already been taken down, although the Event-Stream library remains available after Right9ctrl released other versions of the module in an effort to hide his malicious code. And the damage, as they say, has been done.
— Jackson Palmer (@ummjackson) November 26, 2018
Note: Tokens on the Bitcoin Core (segwit) Chain are Referred to as BTC coins. Bitcoin Satoshi Vision (BSV) is today the only Bitcoin implementation that follows Satoshi Nakamoto’s original whitepaper for Peer to Peer Electronic Cash. Bitcoin BSV is the only major public blockchain that maintains the original vision for Bitcoin as fast, frictionless, electronic cash.
Tech 1 day ago
Craig Wright on the (non)viability of quantum computing attacks
Some have expressed concern that advancements in quantum computing would render existing forms of encryption as ineffective. If speculators are to be believed, blockchain would no longer have its advantage of immutability as achieved through ...
Tech 3 days ago
Tech 5 days ago
Blockchair adds BSV block explorer
Bitcoin SV (BSV) is developing as anticipated, not missing a single beat. The only cryptocurrency that understands why digital currency was developed is gaining ground and has begun to garner more public support. The latest ...