Tech 27 November 2018

Jasmine Solana

Malicious code injected into BitPay’s Copay wallet steals private keys

Copay, the multisignature wallet from BitPay, described itself as a “secure, shared Bitcoin wallet.” That, apparently, hasn’t been the case for the past several months.

On Monday, BitPay warned users that its open-source wallet has been compromised by a malware that “could be used to capture users’ private keys.” According to the blockchain payments company, users “should assume that private keys on affected wallets may have been compromised”—specifically versions 5.0.2 through 5.1.0 of the Copay and BitPay apps—and they should move their funds to the 5.2.0 version of the app immediately.

The malicious code in question has been injected into a Node.js module called Event-Stream by a new user who given access to the popular JavaScript library by its original author three months ago. Dominic Tarr, previous maintainer of the repository, said he entrusted its development to a new user called right9ctrl who “wanted to maintain the module.”

The new maintainer then proceeded to release Event-Stream 3.3.6 containing Flatmap-Stream library 0.1.1, where the malicious code resides. On GitHub, Ayrton Sparling explained: “He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting ps-tree. After he adds it at almost the exact same time the injection is added to flatmap-stream, he bumps the version and publishes. Literally the second commit (3 days later) after that he removes the injection and bumps a major version so he can clear the repo of having flatmap-stream but still have everyone (millions of weekly installs) using 3.x affected.”

The malicious code only executes successfully if its’s used inside the Copay source code, stealing a user’s wallet information such as private keys, which it sends to the copayapi.host URL on port 8080. According to user Nicolas Noble, “If your overall application has both this malicious package and “copay-dash”, then it’s going to try stealing the bitcoins stored in it.”

BitPay said its BitPay app was not vulnerable to the code, noting that it’s still investigating whether the code vulnerability affected any Copay users. BitPay warned, “Users should not attempt to move funds to new wallets by importing affected wallets’ twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.”

At press time, the Event-Stream 3.3.6 version has already been taken down, although the Event-Stream library remains available after Right9ctrl released other versions of the module in an effort to hide his malicious code. And the damage, as they say, has been done.

Note: Tokens on the Bitcoin Core (SegWit) chain are referenced as BTC coins; tokens on the Bitcoin Cash ABC chain are referenced as BCH, BCH-ABC or BAB coins.

Bitcoin Satoshi Vision (BSV) is today the only Bitcoin project that follows the original Satoshi Nakamoto whitepaper, and that follows the original Satoshi protocol and design. BSV is the only public blockchain that maintains the original vision for Bitcoin and will massively scale to become the world’s new money and enterprise blockchain.

COMMENT

latest news

Is China banning Bitcoin mining?

Tech 23 minutes ago

Is China banning Bitcoin mining?

The draft proposal from China’s economic planning commission, which labels bitcoin mining as an industry that needs to be “eliminated," sparks undesirable attention to the global mining industry.

Read More
Future block reward halvings spell doom for Bitcoin Core but bright future for Bitcoin SV

Tech 19 May 2019

Future block reward halvings spell doom for Bitcoin Core but bright future for Bitcoin SV

nChain’s chief scientist Dr. Craig Wright has performed some calculations about future economics for Bitcoin Core (BTC).

Read More
Democrat Andrew Yang believes blockchain ‘big part’ of US future

Tech 17 May 2019

Democrat Andrew Yang believes blockchain ‘big part’ of US future

A candidate for Democratic presidential nomination has spoken out in favor of blockchain, saying the technology will be a “big part of our future.”

Read More
[data-clipboard-demo]
[data-clipboard-demo]
[data-clipboard-demo]
[data-clipboard-demo]
[data-clipboard-demo]
[data-clipboard-demo]
[data-clipboard-demo]
[data-clipboard-demo]