BitPay’s Copay Wallet Compromised by Malicious Code, Firm Issues Advice for Users

[PRIBO247]

Crypto payment processor BitPay issued advice on its official
blog yesterday, Nov. 26, for users of its open-source Bitcoin
(BTC ) wallet Copay, which has reportedly been compromised by
malicious code.

The vulnerability pertains to a third-party Node.js module, also
known as an “event stream,” which is used in versions 5.0.2
through 5.1.0 of BitPay’s Copay and BitPay apps. According to a
GitHub issue report, this module was modified to load malware
that is capable of stealing users’ private keys.
BitPay’s post states that the BitPay app was not vulnerable to the
malicious code, but that its team is investigating whether the
vulnerability had been exploited against any CoPay users.

In the meantime, the company has outlined advice for its users,
stating that anyone using Copay version from 5.0.2 to 5.1.0,
“should not run or open the app.” The company has released a
security update in version (5.2.0), which is due for imminent
release on app stores.

The company also warns that users of affected versions “should
assume” their private keys may have been compromised, and
therefore move any holdings to new, secure v5.2.0 wallets
“immediately”:

"Users should not attempt to move funds to new wallets by
importing affected wallets' twelve word backup phrases
(which correspond to potentially compromised private
keys). Users should first update their affected wallets
(5.0.2-5.1.0) and then send all funds from affected wallets
to a brand new wallet on version 5.2.0, using the Send Max
feature to initiate transactions of all funds.”

According to the GitHub issue report, a little-known user called
right9ctrl requested and was granted publishing rights to the
event-stream library (which is used in the Node.js module on the
Copay app) from its previous maintainer, Dominic Tarr, who
conceded he was no longer maintaining the repository and did not
suspect the new user of malintent.

In response to the news, Dogecoin creator Jackson Palmer
yesterday tweeted his concern that “this is one of the major issues
with JavaScript-based cryptocurrency wallets with heavy up-
stream dependencies coming from NPM [Node.js package
manager]. @BitPay essentially trusted all the up-stream
developers to never inject malicious code into their wallet” – nor
to “let [an] attacker in” inadvertently.

Earlier this fall, Bitcoin Core released an update following the
detection of a vulnerability in its software, a bug which the co-
owner of Bitcoin.org described as “very scary,” with the potential
to have “crashed a huge chunk of the Bitcoin network if exploited
by any rogue miners.”

Source : https://cointelegraph.com