Tech 3 weeks ago

Jasmine Solana

Malicious code injected into BitPay’s Copay wallet steals private keys

Copay, the multisignature wallet from BitPay, described itself as a “secure, shared Bitcoin wallet.” That, apparently, hasn’t been the case for the past several months.

On Monday, BitPay warned users that its open-source wallet has been compromised by a malware that “could be used to capture users’ private keys.” According to the blockchain payments company, users “should assume that private keys on affected wallets may have been compromised”—specifically versions 5.0.2 through 5.1.0 of the Copay and BitPay apps—and they should move their funds to the 5.2.0 version of the app immediately.

The malicious code in question has been injected into a Node.js module called Event-Stream by a new user who given access to the popular JavaScript library by its original author three months ago. Dominic Tarr, previous maintainer of the repository, said he entrusted its development to a new user called right9ctrl who “wanted to maintain the module.”

The new maintainer then proceeded to release Event-Stream 3.3.6 containing Flatmap-Stream library 0.1.1, where the malicious code resides. On GitHub, Ayrton Sparling explained: “He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting ps-tree. After he adds it at almost the exact same time the injection is added to flatmap-stream, he bumps the version and publishes. Literally the second commit (3 days later) after that he removes the injection and bumps a major version so he can clear the repo of having flatmap-stream but still have everyone (millions of weekly installs) using 3.x affected.”

The malicious code only executes successfully if its’s used inside the Copay source code, stealing a user’s wallet information such as private keys, which it sends to the copayapi.host URL on port 8080. According to user Nicolas Noble, “If your overall application has both this malicious package and “copay-dash”, then it’s going to try stealing the bitcoins stored in it.”

BitPay said its BitPay app was not vulnerable to the code, noting that it’s still investigating whether the code vulnerability affected any Copay users. BitPay warned, “Users should not attempt to move funds to new wallets by importing affected wallets’ twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.”

At press time, the Event-Stream 3.3.6 version has already been taken down, although the Event-Stream library remains available after Right9ctrl released other versions of the module in an effort to hide his malicious code. And the damage, as they say, has been done.

Note: Tokens on the Bitcoin Core (segwit) Chain are Referred to as BTC coins. Bitcoin Satoshi Vision (BSV) is today the only Bitcoin implementation that follows Satoshi Nakamoto’s original whitepaper for Peer to Peer Electronic Cash. Bitcoin BSV is the only major public blockchain that maintains the original vision for Bitcoin as fast, frictionless, electronic cash.

COMMENT

Add a Comment

lastest news

Craig Wright on the (non)viability of quantum computing attacks

Tech 1 day ago

Craig Wright on the (non)viability of quantum computing attacks

Some have expressed concern that advancements in quantum computing would render existing forms of encryption as ineffective. If speculators are to be believed, blockchain would no longer have its advantage of immutability as achieved through ...

Read More
Money Button rolls out JavaScript library, mnemonic tool for Bitcoin SV

Tech 3 days ago

Money Button rolls out JavaScript library, mnemonic tool for Bitcoin SV

Bitcoin SV now has a “pure and powerful” JavaScript library, courtesy of Money Button. bsv, a library for cryptography, key management and transaction building for Bitcoin SV, was introduced early this week, marking yet another ...

Read More
Blockchair adds BSV block explorer

Tech 5 days ago

Blockchair adds BSV block explorer

Bitcoin SV (BSV) is developing as anticipated, not missing a single beat. The only cryptocurrency that understands why digital currency was developed is gaining ground and has begun to garner more public support. The latest ...

Read More