Topic: Ledger library possibly compromised (Read 213 times)

Yeah, that's not correct. But I am pretty sure they were talking about the Ledger Developer Portal and everything concerning native and 3rd-party crypto apps

Has Ledger at least explained how a former employee still had enough access to cause this latest debacle?

Ledger even lies on their packaging:


That's written on the box for hardware wallets running closed source firmware.  That's intentionally misleading, which means it's a lie.

Even better advice would be:

You're comparing apples to oranges, ser. Plus by describing that "it's like a girlfriend saying that she'll never leave you while she's on Tinder", you're actually saying that Ledger developers are lying.

"Your keys are always stored on your device and never leave it"

May 14th, 2023

"Private data, such as your private keys will be protected and never leave the device due to the combination of BOLOS and the Secure Element."

"The secret keys or seed are never exposed to the BLE stack and never, ever leave the Secure Element."

"While Ledger is using a dual chip system with an MCU as well, the important part is that your private keys remain inside the Secure Element."

"This means that, beyond keeping your private key offline and away from hackers, the Ledger device itself is also completely impenetrable from external threats"

"WE ARE OPEN SOURCE"

"Hi - your private keys **never** leave the Secure Element chip, which has never been hacked. The Secure Element is 3rd party certified, and is the same technology as used in passports and credit cards.  A firmware update cannot extract the private keys from the Secure Element."

@Ledger

Why would you EVER trust what Ledger's team says after they lied about your keys never being able to leave a Ledger device while they were writing the code to extract keys from your device?!?

That's like your girlfriend saying she'll never leave you while she's signing up for Tinder & OK Cupid.

Has Ledger at least explained how a former employee still had enough access to cause this latest debacle?  And yet, as I ask that question, I feel ridiculous since I wouldn't believe the answer since Ledger lies to their users.

The expected loss is around 500K until now but we don't know yet the real value and if I am not wrong many of the owners even don't know yet that their compromise but the Tether address is blacklisted and others we will never be able to recover or identify the attackers.

It's probably better not to trust what Ledger's team says right now

But I believe the exploit didn't drain as much wallets as expected. Because if it did, many Ethereum/EVM chain users in BitcoinTalk would be starting many topics for complaining and scam accusations.

It's second, if user were to sign transaction he would lose his funds, and it's only EVM chains that were affected.

It's probably better not to trust what Ledger's team says right now, and verify with the DAPP's developers themselves if it's currently safe to connect.

Ledger claims that they removed the malicious file.



Link to twitter post

Attackers have managed to compromise a significant number of libraries by targeting just the connect-kit. Ledger identifies version 1.1.4 as the last known safe release but considers all releases up to 1.1.7, posted on the day of the attack, as compromised.

Ledger ConnectKit Library Compromised with a Drainer, Posing Security Risks to Web3 Apps

Ledger is already messed up a lot and now one more to add in that list.

I wish there was more information on the exploit. Like, is it really capable of draining coins from the hardware wallet, or is it a user mistake after accepting and confirming a malicious transaction? The first defeats the whole purpose of the hardware wallet, while the second is avoidable.

Oh that's ok then I guess... see Ledger is definitely not at fault there, it's the evil former Employee with a capital E.

Oh that's ok then I guess... see Ledger is definitely not at fault there, it's the evil former Employee with a capital E.

I'm sorry to be so blunt, but anybody who reads a forum like this and still uses Ledger hardware deserves whatever losses you incur.

former Ledger Employee

An even worse scenario would be if a Ledger employee is behind the code modification and phishing attack themselves.  

FINAL TIMELINE AND UPDATE TO CUSTOMERS:

4:49pm CET:

Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.

The investigation continues, here is the timeline of what we know about the exploit at this moment:

- This morning CET, a former Ledger Employee fell victim to a phishing attack that gained access to their NPMJS account.
- The attacker published a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7). The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet.
- Ledger’s technology and security teams were alerted and a fix was deployed within 40 minutes of Ledger becoming aware. The malicious file was live for around 5 hours, however we believe the window where funds were drained was limited to a period of less than two hours.
- Ledger coordinated with
@WalletConnect
 who quickly disabled the the rogue project.
- The genuine and verified Ledger Connect Kit version 1.1.8 is now propagating and is safe to use.
- For builders who are developing and interacting with the Ledger Connect Kit code: connect-kit development team  on the NPM project are now read-only and can’t directly push the NPM package for safety reasons.
- We have internally rotated the secrets to publish on Ledger’s GitHub.
- Developers, please check again that you’re using the latest version, 1.1.8.
- Ledger, along with
@Walletconnect
 and our partners, have reported the bad actor’s wallet address. The address is now visible on
@chainalysis
.
@Tether_to
 has frozen the bad actor’s USDT.
- We remind you to always Clear Sign with your Ledger. What you see on the Ledger screen is what you actually sign. If you still need to blind sign, use an additional Ledger mint wallet or parse your transaction manually.
- We are actively talking with customers whose funds might have been affected, and working proactively to help those individuals at this time.
- We are filing a complaint and working with law enforcement on the investigation to find the attacker.
- We’re studying the exploit in order to avoid further attacks. We believe the attacker’s address where the funds were drained is here: 0x658729879fca881d9526480b82ae00efc54b5c2d

Thank you to
@WalletConnect
, @Tether_io,
@Chainalysis
,
@zachxbt
, and the whole community that helped us and continue to help us identify and solve this attack.

Security will always prevail with the help of the whole ecosystem.

Ledger claims that they removed the malicious file.

What just happened with Ledger?

TL;DR:
1. Ledger loaded JS from a CDN 🌍
2. They did not lock the version of the loaded JS 🔓
3. Their CDN got compromised 🥷
4. The hacker injected malicious code into the JS 💣
5. Ledger Connect-Kit was widely used, affecting many dApps

Verify your transaction on-screen with your hardware wallet or get rekt ❗️

Being Bitcoin-only doesn't fix this. Using multi-sig doesn't fix this. Air-gapped security model doesn't fix this.

The real solution is:

1⃣ Users properly verifying transactions on their hardware wallet screen before signing
2⃣ Incentivizing security reviews and disclosures
3⃣ Devs pinning known-good dependency versions
4⃣ Open sourcing all the things

The only thing you as a user have control over is #1. If you're using a hardware wallet without verifying transaction details you're losing the vast majority of the benefit. If your wallet doesn't have a screen or encourages blind signing by not showing you all of the relevant details, get a new one.

Take the time to always verify transaction details before sending, it's worth a few seconds of your time.