BitPay’s Bitcoin Wallets Compromised After Rogue Developer Exploited JavaScript Library

  • BitPay’s wallet software has been compromised and later patched
  • The malicious code could expose users’ private keys
  • Wallets with large BTC and BCH balances were targeted
  • The issue comes from an open source JS library used in its software
  • BitPay and CoPay wallet owners are urged to update their apps and to transfer their funds to a completely new wallet

BitPay has released a statement acknowledging that a Node.JS package used in its Copay and BitPay apps were compromised, allowing malicious code to steal crypto from the targeted Copay wallets.

BitPay has said that the vulnerability affected only the Copay wallet app, hitting versions 5.0.2 through to 5.1.0. Users of the popular wallet have been advised to update to version 5.2.0 or transfer their funds to a new wallet.

Meanwhile, the Bitcoin payment processor team is conducting further investigations into the attack that affected the Js library event-stream, popular with millions of users who depend on it downstream.

How the attack happened

An email from right9ctrl to another GitHub user Dominic Tarr (dominictarr) sparked the seemingly well-orchestrated social engineering attack.

The latter, whose coding footprint was very minimal, gained control of a module after dominictarr gave him publishing rights and ownership of the event-stream library.

With access to the open source code, right9ctrl moved to introduce the malicious code. He first injected a benign flat map-stream module on September 8, 2018, targeting ps-tree.

On October 5, 2018, he moved to the next step by updating flat map-stream and injecting a backdoor code that compromised targeted wallets by stealing private keys, making it possible to pinch crypto.

The malicious event-stream code was flagged a week ago but was only understood two days ago to have specifically targeted BitPay’s Copay app.

The injected malware was obfuscated, which made it difficult for users to figure it out the first time. However, the vulnerability was revealed when expanded.

It showed that the malicious code explicitly targeted hot wallets (browser-based or mobile wallets), and was designed to attack accounts whose balances were more than 100 BTC or 1000 BCH.

The malware executes when a user runs their wallet program, allowing the code to transfer the stolen funds to a server based in Kuala Lumpur, Malaysia.

Copay’s patch to the vulnerability is also being implemented by other wallets that copied BitPay’s code including Keoken.

The wider problem of open source development

Using malware in an upstream development is part of the reason “supply chain attacks” are a big part of the problem that faces open source development.

For all intent and purposes, open source development is the foundation of cybersecurity, encouraging proactive security.

However, it also raises that pertinent question: are people putting too much trust in upstream software programs simply because “they can see” what is being developed?

Open source development is mostly considered (wrongly in some instances), as being all about ideals or hobbyists and thus well-intentioned.

That notion applies to a lot of open source projects, which have gained a lot of trust as a result of the attendant transparency. Nevertheless, having good intentions does not ring true of all developers.

JavaScript-based crypto wallets face the same trust challenge, with too much dependency on upstream development.

Copay, unfortunately, removed hardware wallet integration earlier this year, following Google’s move to retire support for Chrome-based apps on all of its platforms except those on the Chrome OS.

As such, BitPay would do better as not to expose millions of its users and billions of dollars in crypto funds to risks by using software developed on the principle of trust.

The giant Bitcoin payment processor has enough in its coffers to actively engage in developing code libraries such as the event-stream.

If not, it can utilize forked versions, which allows it to verify each update and to declare it safe before allowing users to run it.

Disclaimer: This is not investment advice. Cryptocurrencies are highly volatile assets and are very risky investments. Do your research and consult an investment professional before investing. Never invest more than you can afford to lose. Never borrow money to invest in cryptocurrencies.

Leave A Reply

Your email address will not be published.