September 18, 2020

Critical vulnerability found in Ledger crypto wallet

A vulnerability has been discovered in the Ledger hardware wallet that could lead to the loss of bitcoins by users. Security researcher Mohammad Nohbeh revealed information about her.

To carry out an attack, an attacker can create a transaction that looks like an altcoin transaction, but in reality will lead to the withdrawal of bitcoins from the user's wallet.

“The attacker can take advantage of thismethod for transferring bitcoin, while the user will have the impression that another, less valuable altcoin is being transacted (eg Litecoin, testnet bitcoin, Bitcoin Cash, etc.), ”Nohbeh writes.

For example, a user might think they are sending 0.01 LTC when in reality 0.01 BTC will be debited from their wallet.

The expert explained that Ledger hardware walletsuse several specialized applications, separately for each cryptocurrency, of which only one can be active at a certain moment. At the same time, as it turned out, external services can even access those applications that are currently inactive.

“It has been found that for bitcoin and forksBitcoin device provides functions when working with any asset. In other words, once you unblock the Litecoin app, you will be prompted to confirm the bitcoin transfer, while the interface will display the Litecoin transfer and address. If this request is accepted, a fully valid signed transaction will be sent on the Bitcoin mainnet, ”Nohbeh said.

Ledger acknowledged the problem, promisingrelease a new version of the application for working with bitcoin, which will display a warning if a non-standard transaction path is detected. The company explained that the availability of the bitcoin application when working with other cryptocurrencies is due to the peculiarity of the implementation of support for forks of the first cryptocurrency, which share a common transaction history with it.