Github and reddit are alive with the theories surrounding the exploit found in Copay’s wallets after it was first announced via Falling Snow on Github. Basically it is an attack specifically targeting Copay and does not affect Node.js wallets in general. Github member davidpelayo explains how the exploit works;
- Looks for the victim hot wallet profiles (this could have been running in mobile apps as well as your regular browser, regardless the device).
- Iterate over all wallet ids and mapping all public keys which balances where over 100 BTC or 1e3 BCH.
- Send it to a server in Kuala Lumpur (hosted here: https://www.shinjiru.com.my/ – taken from
nmap -F 184.108.40.206).
How did the attacker achieve it?
Because they rewrote the
Credentials.getKeys function due to the possibility of the prototypes in JS. The attacker is capturing the password and sending it to the above server.
Copay was quick to comment on the issue, and has confirmed that their was malicious code deployed in their versions 5.0.2 through to 5.1.0. These include their Copay and Bitpay Apps. So if you are using any of these versions, we advise you to cease now!
After further research and looking into this vulnerability we came across tchakabam explains how simple the change was made and implemented.
It is interesting to be able to look at the commit in copay that introduced the malicious package: bitpay/copay@6cc4b75#diff-b9cfc7f2cdf78a7f4b91a753d10865a2R232
There was only one simple change in their dev-dependencies where they manually downgraded something electron related. But that has been done by running a plain
npm installmost likely, as flatmap-stream came up suddenly, and that was because then some sub-dependency without version locking had event-stream in it 🙂 And then the package-lock rewrite just wasn’t looked at too closely because well, we did change something about electron, so who knows, right?
Not looking at that too closely is something that could happen to any developer in many projects and companies out there I think, given the craps not given about the security risks of npm. But it shouldn’t happen to an org that you want to trust.
For more information, you can follow along here;
- The payload of the attack is unraveled at: https://github.com/dominictarr/event-stream/issues/116#issuecomment-441746370
For an summary of the attack: https://github.com/dominictarr/event-stream/issues/116#issuecomment-441759047
Further details on the targeted versions: https://github.com/dominictarr/event-stream/issues/116#issuecomment-441749105
And lastly the main issue tracking it: https://github.com/dominictarr/event-stream/issues/116