Crime

BitPay wallet vulnerability caused by use of popular JavaScript library

Quick Take

  • The vulnerability allowed for bitcoin and bitcoin cash to be stolen from user accounts 
  • Many apps make use of the compromised code, but only crypto-wallet apps were affected

A vulnerability on the popular Javascript library event-stream, used for streaming data in Node.js applications, affected BitPay’s Copay wallet application, which depended on the library downstream. The vulnerability enabled malevolent actors to steal bitcoin and bitcoin cash from accounts using BitPay’s Copay wallet application. Popular applications are built on many layers of open-source tooling. With too many changes to track manually, developers often take for granted the stability of large open-source libraries.

In this case, the malicious addition to the library was a very well-executed social attack where the attacker, an anonymous developer with the handle right9ctrl, was given control of the code repository from maintainer Dominic Tarr three months ago, after offering to help maintain the code.

The malicious code was flagged in the original repository six days ago but only understood more recently as it specifically targeted the app Copay, a cryptocurrency wallet developed by the bitcoin payment processor BitPay. The issue was flagged on BitPay’s repository earlier today.

The added code was obfuscated, making it difficult to read at a glance. When expanded, the code revealed the vulnerability:

  1. It was written to specifically look for hot wallets (those running in a browser or on mobile).
  2. The code specifically targeted accounts with balances > 100 BTC or 1000 BCH.
  3. The exploit then sent funds to a server in Kuala Lumpur after capturing the wallet passwords.

The issue was quickly resolved in a new release but other wallets such as the Keoken bitcoin/bitcoin cash wallet, which copied BitPay’s codebase via a fork, are similarly affected. They are currently patching the vulnerability.

While the library is used in hundreds of thousands of different unaffected applications, the vulnerability has sparked an interesting conversation on many developer forums about potential future changes to developer workflows or open-source release architecture to avoid similar issues.