[ad_1]
The encrypted payment processor BitPay posted on its official blog, November 26, tips for users of its Copay open source BTC portfolio, which would have been compromised by malicious code.
This vulnerability affects a third-party Node.js module, also known as an "event stream", used in versions 5.0.2 through 5.1.0 of BitPay Copay and BitPay applications. According to a GitHub problem report, this module has been modified to load malware that can steal users' private keys.
The BitPay message indicates that the BitPay application was not vulnerable to malicious code, but that its team was investigating whether the vulnerability had been exploited against CoPay users.
In the meantime, the company has presented tips to its users, stating that anyone using Copay versions 5.0.2 through 5.1.0 "should not run or open the application". The company has released a security update version 5.2. 0), which should be released soon on the app stores.
The company also warned that users of affected versions "should badume" that their private keys may have been compromised and, therefore, immediately move their holdings to new secure portfolios v5.2.0: "immediately":
"Users should not attempt to transfer funds to new portfolios by importing twelve-word backup phrases from the relevant portfolios (which are potentially compromised private keys). Users must first update their affected portfolios (5.0.2-5.1.0), and then send all funds of the relevant portfolios to a brand new portfolio of version 5.2.0, to help of the Send Max feature to initiate transactions for all funds. "
According to the GitHub report, a little-known user called right9ctrl has requested and obtained the publication rights on the event stream library (used in the Node.js module of the Copay application) from his former manager. , Dominic Tarr, who conceded that he was no longer keeping the deposit and that he did not suspect the new user of maling.
In response to the news, the creator of the Dogecoin, Jackson Palmer, yesterday tweeted He's worried that "this is one of the biggest problems in JavaScript-based cryptocurrency portfolios with strong upstream dependencies from NPM [Node.js package manager]. @BitPay basically trusted all upstream developers to never inject malicious code into their wallet "- nor for [an] attacker "inadvertently.
Earlier this fall, Bitcoin Core released an update following the detection of a vulnerability in its software, a bug that the co-owner of Bitcoin.org has described as "very scary", with the potential to spread the word. to have "crushed a huge part of Bitcoin, so exploited by dishonest miners."
[ad_2]
Source link
