Author

Topic: {Waring} Ledger exploit makes you spend Bitcoin instead of altcoins. (Read 140 times)

legendary
Activity: 2352
Merit: 6089
bitcoindata.science

At the very least thankfully bitcoin-only people are pretty much safe, so there's that.

Yes. To be stolen you need to log in a fake third party software,  such as a fake new.

Not a huge vulnerability, but as they advertise you can use ledge in a infected computer this shouldn't really happen.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
The isolation bypass was fixed and for the sake of actual Ledger users you should write (bolded, in the topic) that it's fixed, just people need to update.
You can find more info and links in my older post on this: https://bitcointalksearch.org/topic/m.54939433
mk4
legendary
Activity: 2870
Merit: 3873
📟 t3rminal.xyz
Quite a shitty vulnerability to say the least, and this is after they just had their database leaked like a week ago. They'd have to take major major precautions now if they don't want their reputation to drop down lower. Also knowing that as far as I know they were the #1 hardware wallet company.

At the very least thankfully bitcoin-only people are pretty much safe, so there's that.
legendary
Activity: 2240
Merit: 3150
₿uy / $ell ..oeleo ;(
I came across this news and decide to share it with you guys so people should be aware if their funds get locked by ledger and cannot be spent. You guys need to update the hardware wallet to fix it.
I do not own Ledger and I cannot 100% confirm the legitimacy of the source website but seems that the guy who found the vulnerability actually posted it on Twitter.

Quote
In brief
A vulnerability in Ledger's hardware wallets allows a request for an altcoin transaction to actually request the movement of Bitcoin.
The exploit was reportedly disclosed to Ledger back in 2019.
Ledger said it's because the firm wanted "to avoid a situation where user funds would be locked and users unable to spend their funds.”

Quote
An exploit in Ledger’s crypto hardware wallets could allow malicious actors to steal Bitcoin, according to a report published by Liquality developer Mohammed Nokhbeh on Tuesday.

The attack works by the bad actor creating a transaction that looks like an altcoin payment (a coin that isn’t Bitcoin) when it actually takes Bitcoin out of the wallet instead.

“An attacker can exploit this method to transfer Bitcoin while the user is under the impression that a transaction of another, less valuable altcoin (e.g. Litecoin, Testnet Bitcoins, Bitcoin Cash, etc.) is being executed,” wrote Nokhbeh.
This is worrying because the user thinks that they’re handing out 0.01 of an altcoin, which could be far less valuable than 0.01 Bitcoin, for instance.

"A new version of the Bitcoin app will be released today, with an update that will display a warning and prompt for confirmation when an unexpected path is used—therefore solving this issue," said a Ledger spokesperson (who later confirmed that the fix is now live).

Source > https://decrypt.co/37651/ledger-exploit-makes-you-spend-bitcoin-instead-of-altcoins
Source, the guy who found the vulnerability > https://monokh.com/posts/ledger-app-isolation-bypass
Jump to: