What wallets are affected by the NPM package vulnerability?

7

Recently, a vulnerability was found in an open-source project used by some bitcoin wallet software (such as CoPay and BitPay).

Are there any other wallets known to be affected by this vulnerability?

If I am a user of this software, what steps can I take to secure my bitcoin?

chytrik

Posted 2018-11-27T11:12:00.597

Reputation: 13 841

Answers

7

Only Copay is affected by this vulnerability.

Although the package was included by many, many projects (both within and outside the crypto space), the attack payload was encrypted, and used the package description as a decryption key. They key in question was found to be (via brute force) A Secure Bitcoin Wallet, which is the npm description for the copay-dash package.

Thus, packages which did not have that as their description would be unable to decrypt, and hence execute, the payload.

Note that such attacks are feasible on any package that does not verify and pin its dependencies, even outside the nodejs ecosystem. Developers should work to ensure that they are importing vetted code, and pin (or even vendor) their dependencies. This is especially important for programs that deal with private keys.

Raghav Sood

Posted 2018-11-27T11:12:00.597

Reputation: 15 741

Can you define the verb "vendor"? I could only find the noun in major dictionaries. – Kevin – 2018-11-27T15:42:42.863

1@Kevin Vendoring means to keep a copy of a specific version of an external code dependency within your repository, so that you are always sure of what code you are running. It also prevents a third party from changing code without changing the version number and slipping it into your application. – Raghav Sood – 2018-11-27T16:09:42.220

1Ah. We do that all the time. It also makes it easier to fork the dependency and/or submit pull requests (which can be a double-edged sword if you don't have enough people or expertise to support a fork, but at least it gives you options). – Kevin – 2018-11-27T16:15:56.037

2I think "self-hosting" is a clearer, more common term for what you call "vendoring" here, unless that's an established term in the JS community. – Fund Monica's Lawsuit – 2018-11-27T18:09:22.167

1I picked vendoring based on what we call it in golang, I'm not 100% certain if the js folks have a specific term for it. – Raghav Sood – 2018-11-27T18:17:30.420