Author

Topic: Copay version from 5.0.2 to 5.1.0 [Please do not open the app] (Read 136 times)

legendary
Activity: 2758
Merit: 6830
You have to admit, handing the module maintenance to a foreign guy you have never heard of and who just emailed you, is totally ridiculous.  Cheesy
Does it mean so, any crypto wallet that makes use of Javascript is potentially vulnerable or already infected? I can already smell the waves of articles about this. Like if we needed more bad news these days...  Roll Eyes
Any crypto wallet pulling random NPM modules for their projects.

Check my post in the other thread:
I don't use Copay, but this is worrying. Mostly because of this part:

Quote
This is one of the major issues with JavaScript-based cryptocurrency wallets with heavy up-stream dependencies coming from NPM. @BitPay essentially trusted all the up-stream developers to never inject malicious code into their wallet.@dominictarr also let the attacker in, sadly
From: https://twitter.com/ummjackson/status/1067132600739721216

Quote
You do know how many products and services do this? This is a much bigger issue than just BitPay.
From: https://twitter.com/brianchoffman/status/1067141337772888070

I already knew how dangerous can be running tons of third-party NPM packages because of this super interesting article I read a few months ago: I’m harvesting credit card numbers and passwords from your site. Here’s how.
copper member
Activity: 2940
Merit: 4101
Top Crypto Casino
You have to admit, handing the module maintenance to a foreign guy you have never heard of and who just emailed you, is totally ridiculous.  Cheesy
Does it mean so, any crypto wallet that makes use of Javascript is potentially vulnerable or already infected? I can already smell the waves of articles about this. Like if we needed more bad news these days...  Roll Eyes
copper member
Activity: 2142
Merit: 1305
Limited in number. Limitless in potential.
Its being said that even all the million NPM module users are affected as well not only copay
https://twitter.com/ummjackson/status/1067131569612058624
legendary
Activity: 2702
Merit: 4002
Based on some of the reports in #9346 "`event-stream` dependency attack steals wallets from users of copay", some packages have been modified to load malicious code that can capture users' private keys.
Therefore, anyone who uses the previous versions "from 5.0.2 to 5.1.0" of these wallets should not open or run any of them, nor should be recovered using 12-backup phrases of those wallets.

Our team is continuing to investigate this issue and the extent of the vulnerability. In the meantime, if you are using any Copay version from 5.0.2 to 5.1.0, you should not run or open the app. A security update version (5.2.0) has been released and will be available for all Copay and BitPay wallet users in the app stores momentarily.

Users should assume that private keys on affected wallets may have been compromised, so they should move funds to new wallets (v5.2.0) immediately. Users should not attempt to move funds to new wallets by importing affected wallets' twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.
Jump to: