Author

Topic: Copay and other wallets potentially compromised with dodgy node.js module (Read 206 times)

legendary
Activity: 3150
Merit: 2185
Playgram - The Telegram Casino
Holy shit so that was the mystery payload of the event-stream backdoor! :O

Here's the GitHub discussion for anyone interested; when the backdoor was first found its intention was not yet clear:
https://github.com/dominictarr/event-stream/issues/116

Despite the severity of the issue, I don't fully agree with the article's condemnation of BitPay's practices. I also don't think that event-stream's original maintainer deserves all the flak he got.

However it goes to show how shaky modern JavaScript development is from a security perspective. Event-stream is an extremely popular npm package and as such is rather trusted and used in a lot of other applications. As such it could have hit any other Node.js based wallet as well. This is a problem with modern JavaScript development in general, rather than with BitPay specificially.
legendary
Activity: 2268
Merit: 18771
https://github.com/bitpay/copay/issues/9346#issuecomment-441827353

https://blog.bitpay.com/npm-package-vulnerability-copay/

Quote
Users should assume that private keys on affected wallets may have been compromised, so they should move funds to new wallets (v5.2.0) immediately.

So Copay wallets from 5.0.2 through to 5.1.0 are vulnerable. BitPay apps are not vulnerable, apparently. If you are running one of these version of the Copay app, you should not open the app. Advice is instead to update to 5.2.0, and then use "Send Max" to transfer all your funds to a new wallet. You should not restore your wallet from your mnemonic seed, as that seed is linked to potentially compromised private keys.

It is currently unclear whether this affects other wallets forked from Copay (such a Copay Dash), or any other wallets in general.
legendary
Activity: 2772
Merit: 2846
Quote from: TryNinja link=topic=5076197.msg48254387#msg48254387
Quote
You do know how many products and services do this? This is a much bigger issue than just BitPay.


Is there a list of all wallets affected by this yet?
legendary
Activity: 2758
Merit: 6830
I don't use Copay, but this is worrying. Mostly because of this part:

Quote
This is one of the major issues with JavaScript-based cryptocurrency wallets with heavy up-stream dependencies coming from NPM. @BitPay essentially trusted all the up-stream developers to never inject malicious code into their wallet.@dominictarr also let the attacker in, sadly
From: https://twitter.com/ummjackson/status/1067132600739721216

Quote
You do know how many products and services do this? This is a much bigger issue than just BitPay.
From: https://twitter.com/brianchoffman/status/1067141337772888070

I already knew how dangerous can be running tons of third-party NPM packages because of this super interesting article I read a few months ago: I’m harvesting credit card numbers and passwords from your site. Here’s how.
legendary
Activity: 2604
Merit: 3056
Welt Am Draht
https://www.ccn.com/breaking-numerous-bitcoin-wallets-may-have-been-compromised-by-rogue-developer/

https://github.com/bitpay/copay/issues/9346

Not so wonderful for users and revealed at a deeply unsexy time for the wellbeing of the crypto market. I use Copay for the various Bcashes only myself so I won't exactly be devastated if it does a runner. Still, keep an eye out for fixes or tips if you're exposed to this.
Jump to: