Get the Finder app 🥳

Track your credit score, free

Free

The BitPay Copay bitcoin wallet has been compromised

Posted: 27 November 2018 2:24 pm
News

A single email can do a lot of damage.

BitPay announced today that its Copay wallet was compromised. Specifically, someone managed to inject malicious code into versions 5.0.2 through 5.1.0. The BitPay app itself was not affected.


Do not open the program if you are using those versions of the wallet.

Instead, update to the new 5.2.0 version first, then use that version to remove all funds and send them to a new wallet. You can either generate a brand new wallet with the 5.2.0 version, or send funds to a different wallet. Do not use the recovery phrases or anything else from the compromised versions. BitPay is still investigating whether any users were affected.


How it happened

It all began with a single email.

Open source heists

This attack took advantage of workflow quirks in open source development. Specifically, someone going by right9ctrl managed to gain ownership and control of a package of code owned by someone going by dominictarr.

They simply asked to take over, and because Tarr wasn't doing anything with it, wasn't getting anything from it and didn't really care for it anymore, he handed it over no questions asked.

Unfortunately, that package of code was feeding into a bigger code library called EventStream, downloaded about two million times per week and used by institutions around the world, including Fortune 500 companies, small businesses and BitPay.

In the interests of fairness, it's worth emphasising that most EventStream users might have been similarly vulnerable to this kind of attack. However, this attack seems to have been specifically intended to single out Copay wallets as a rich target due to their relative popularity.

Once they had access to this river of open source development, the attacker proceeded carefully.

The first step, on 8 September, was to introduce a benign module known as flatmap-stream. The second step, implemented on 5 October, was to update flatmap-stream with a backdoor that attempts to steal bitcoin wallets when executed – such as when someone runs their bitcoin wallet program – and move the funds to a server in Malaysia.

Basically, the entire river that millions of users and countless applications drink from was contaminated. However, the contaminant was specifically engineered to only affect a very specific and lucrative subset of those drinking from it.

The wider problem

This type of "supply chain attack", which is basically when a hacker manages to pee in the river upstream of thirsty developers, is part of a much wider problem.

Open source development is regarded as a cornerstone of cybersecurity, necessary to prevent people from putting blind trust in programming they can't see and allowing the entire world to pick it apart for vulnerabilities. The idea is that it can encourage proactive security, rather than the more traditional method of waiting for something bad to happen then mending it later and chalking it up to a learning experience.

But it also raises new questions around the risks of people putting blind trust in programming they can see, and (reasonably) assuming that a code library being downloaded two million times a week is safe.

Constantly eyeballing your way through millions of lines of code isn't really feasible, so depending on the situation, you might run various tests before implementing something. But if those tests are transparent, attackers can more easily defeat them; if they're secret, then they might also be more reactive than proactive.

The solution is still elusive, and on a certain level, the Internet is just a very scary place with countless avenues of robbery. But until quite recently, the only thing that thieves could really steal was data, which could easily go unnoticed or be written off as the cost of surfing the web, while attempts to steal actual money would often run into the more tangible walls put up by the banks which guard people's funds.

Cryptocurrency is a different beast though. It's money in the form of data, which comes with a lot of downsides and presents a lot of opportunities for clever hackers. There's a reason people use hardware wallets. They bring back the additional security of adding physical real-world elements to data handling, and likely would have protected Copay users who may have been affected by this incident.

Copay, unfortunately, no longer has hardware wallet integration. It was removed by necessity at the start of 2018 when Google retired support for Chrome apps on all platforms except Chrome OS. It's another very apt and very related example of how upstream changes can affect developers and users downstream, and how a lack of standardisation is impacting the Internet.



Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Crypto explained


Latest cryptocurrency news

Picture: Shutterstock

Latest crypto guides

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site