[ad_1]
Bitcoin Global Payment Service BitPay has warned customers of a vulnerability affecting a third-party NodeJS package used by Copay and BitPay applications that can be used to capture users' private keys. The company said the malicious code had been deployed on versions 5.0.2 to 5.1.0 of its Copay and BitPay applications. BitPay has recommended users to immediately transfer funds to new portfolios as private keys are potentially compromised.
BitPay checks if Copay users exploited by code vulnerability
BitPay is currently investigating whether Copay users have been attacked for malicious code, the company said in a statement.
"At the present time, we have only confirmed that the malicious code was deployed on versions 5.0.2 to 5.1.0 of our Copay and BitPay applications. However, the BitPay application was not vulnerable to malicious code. We are still wondering if this code vulnerability has already been exploited against Copay users. "
The Bitcoin payment service warned customers not to use an infected Copay version before running a security update provided by BitPay in the application stores.
"Our team continues to investigate this problem and the extent of vulnerability. In the meantime, if you are using a version of Copay 5.0.2 through 5.1.0, you should not run or open the application. A security update (5.2.0) has been released and will be available for all users of the Copay and BitPay wallet in the app stores. "
In addition, BitPay recommended that users immediately transfer funds to new portfolios (version 5.2.0) as private keys could be compromised. The Atlanta-based company warned users not to import the backup phrases of the concerned portfolios, as they could also be compromised.
"Users should not attempt to transfer funds to new portfolios by importing twelve-word backup phrases from the relevant portfolios (which are potentially compromised private keys). Users must first update their affected portfolios (5.0.2-5.1.0), and then send all funds of the relevant portfolios to a brand new portfolio of version 5.2.0, to help of the Send Max feature to initiate transactions for all funds. "
BitPay discovered the existence of a malicious charge via a Copay GitHub incident report. According to comments on GitHub, the malware "was really sneaky and caused the downloading of private keys only for portfolios containing actually more than 100 BTC". BitPay and its users were lucky this time, but should be prepared for future attacks, according to Atomantic, a GitHub user.
"We narrowly escaped mbad robbery / liquidation. It would be good to add to the monitoring of network output in automated tests if it is not already part of the construction validation process. "
In April 2018, BitPay issued a warning about a Trojan called Coinbitclip, which affected certain purchases using Bitcoin processed by the payment service. The Trojan has not infected any specific Bitcoin wallet or payment system, but only individual Windows users, just like most types of ransomware.
Shutterstock's picture
Source link