BitPay’s open source bitcoin wallet Copay has been attacked and exposed to malicious code with the intent to steal Bitcoin (BTC) and Bitcoin Cash (BCH), the company warned its users in an official blog post on November 26, 2018.
BitPay’s Copay Wallet Compromised by Malicious Code
Global bitcoin payment service provider, BitPay, has warned its customers that their cryptocurrencies could be stolen after hackers managed to create a backdoor to the service.
According to the company’s official blog post, a third party NodeJS package used by the Copay and BitPay apps had been modified to load malicious code which could be used to capture users’ private keys.
And while the presence of the malware was identified on November 20, researchers at BitPay were only able to understand what the heavily obfuscated malicious code actually does on November 26.
So far, the company has only confirmed that the vulnerability pertains to a third-party Node.js module, also known as an “event stream,” which is used in versions 5.0.2 through 5.1.0 of their Copay and BitPay apps. According to a GitHub issue report, this module was modified to load malware that is capable of stealing users’ private keys.
However, the blog post explained that the BitPay mobile app was not vulnerable to the code and that customers using the mobile app shouldn’t worry about the safety of their funds.
Still No Way of Knowing If Private Keys Were Stolen
According to BitPay, there is still no way of knowing whether or not users’ private keys were stolen in the hack. The company warns that users of affected versions “should assume” their private keys may have been compromised, and therefore move any holdings to new, secure v5.2.0 wallets “immediately.”
“Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds,” BitPay said in a statement.
According to the GitHub issue report, a user called right9ctrl was granted publishing rights to the event-stream library from its previous maintainer and was able to enter the Node.js module on the Copay app.
Dogecoin creator Jackson Palmer responded to the news on Twitter, saying that this is one of the major issues with JavaScript-based cryptocurrency wallets with heavy upstream dependencies coming from the Node.js package manager. He explained that BitPay essentially trusted all the up-stream developers to never inject malicious code into their wallet, which is what lead to the hack.
While still dangerous, this is not the first time a crypto wallet has detected major vulnerabilities in its code. Back in September 2018, Bitcoin Core released an update following the detection of a vulnerability in its software, a bug which the co-owner of Bitcoin.org described as “very scary,” with the potential to have “crashed a huge chunk of the Bitcoin network if exploited by any rogue miners.”