LedgerHQ Twitter account just reported a security concern with their Ledger products that also affects all other hardware wallets at this time.
While the wallet isn't vulnerable, the received address is generated with Javascript running on the host machine. Malware running on your host machine can manipulate the address displayed by using a hacker's address instead.
Concerns about the attack
(Pulled from vulnerability doc)
All the ledger wallet software is located in the AppData folder, meaning that even an
unprivileged malware can modify them (no need to gain administrative rights).The ledger wallet doesn’t implement any integrity-check/anti-tampering to its source files,
meaning they can be modified by anyone.All the malware needs to do is replace one line of code in the ledger software, this can be
achieved with less than 10 lines of python code.New ledger users would typically send all their funds to the wallet once initialized.
If the machine was pre-infected, this first transaction may be compromised causing the user to
lose all of his funds.The attack changes the receive address during its generation, causing even the automatically
generated QR to be updated to the attacker’s address. Meaning that both the string and QR
representations of the address are compromised.
The only solution is to force the hardware device to confirm the address on the display screen to verify they match. On the Ledger this can be done with the Monitor Button.
On the Trezor, there is a button to show on the display screen.
More information about the vulnerability can be found here. This is not limited to Ledger or Trezor, any device that runs a client on the host machine can be at risk.
My recent popular posts
- How curation rewards work and how to be a kick ass curator
- Markdown 101 - How to make kick ass posts on Steemit
- Work ON your business, not in your business! - How to succeed as a small business
- You are not entitled to an audience, you need to earn it!
- How to properly setup SSH Key Authentication - If you are logging into your server with root, you are doing it wrong!
- Building a Portable Game Console
There are always some holes in the security no one has discovered yet...
This was both mean and funny, I feel bad for enjoying it :))
Those are what you call the known unknowns. One must really worry about the unknown unknowns.
wow. Thanx for sharing.
I assume if you use the address you generated a while back and use it every time you transfer funds to the hardware wallet then all this problem will be mitigated?
Yes, but having a unique receive address each transfer is very nice.
thank's for share friend/upvoted
This post has received gratitude of 3.82 % from @appreciator thanks to: @themarkymark.
Hopefully the dons of thecrypto market can do something about this
if these hackers worked for something positive.... the world would be much better.
Thanks for the post... I'll always check the address.
they work for a positive cash flow what's wrong with that... ;-)
I hope they do not want to work for a positive cash flow with my ledger... =)
this great post
Good morning friend your precious post has impressed me,
EXCELLENT
Just another item to add on the list of stuff to verify.
Annoying, however in the ongoing struggle to things secure this is not a big surprise.
Spoofing addresses is indeed an issue to pay attention to.
Thanks for the update