ARK Windows Desktop Wallet Compromised

On Sunday, July 15th 2018, at approximately 14:36 UTC, the 32-bit and 64-bit versions of the ARK Desktop 1.6.0 were compromised on the official GitHub repository. Please note: If you downloaded the wallet during this period, action is required. We recommend checking even earlier downloads back to the 12th to be sure.

Are my funds safe?

If you have not downloaded either of the compromised versions of the Windows desktop wallet, your funds are safe. The compromised versions were downloaded 57 times in total, which means there are potentially 57 people who are at risk.

What is compromised?

The desktop wallet installer for Windows 32-bit and Windows 64-bit were compromised. Due to the nature of the compromise, your accounts and any assets maintained on exchanges may be compromised. The primary target at this time appears to be the Binance exchange. As the initial report states, the compromised installer tries to install a bad certificate for the Binance website which would make a falsified website appear to have a valid certificate and would show the green shield, making users believe they were visiting the real Binance.com when in reality they were on a duplicate website meant to steal credentials from the user.

Is it now safe to download 1.6.0 wallet from GitHub?

Yes, compromised versions were removed and original versions have been re-uploaded. Please validate all hashes after downloading.

How do I know if I have been compromised?

Users can take the following steps to validate their desktop installer to determine if they have received the compromised version.
Note: This can be done on any future download to verify the file hash and ensure the version downloaded is the correct version.

Example of VirusTotal scan of the ARK Mac Desktop Wallet Installer v1.6.0

1. Upload your Windows installer for ark-desktop 1.6.0 to https://virustotal.com and check if the SHA-256 hash is as follows:
2. Win 32 (ArkClient-Win32–1.6.0.exe): c8d776cdb2d724fa3bce2b88ee2f601418cca9fc7163861f5326b0640cc5c916
3. Win 64 (ArkClient-Win64–1.6.0.exe): 0bb7f8e7238729a9b60e9110a34646ac7f7416831a4f0584678ab9d993746e43
4. If SHA256 does not match it is highly likely your computer is compromised.
5. If you can’t find your windows installer and downloaded it on July 15th 2018, assume you are compromised.
6. It has been reported that the infected version of the installer also places a new folder at the following location: C:\Users\UserName\AppData\Local\Microsoft\CLR_v2.0. As a precaution, please check your system for the associated folder to verify whether or not your system may have been compromised.

I suspect I have been compromised, what should I do?

1. Reset login passwords and enable 2FA on all important websites as soon as possible. 2FA should reasonably protect against the method used by this form of malicious download. While we have only seen certificates related to Binance.com, please understand that this same method could be used to harvest credentials for email, social media, and other exchanges such as Bittrex. It is best to reset any potentially compromised password and enable 2FA on all sites where possible.
2. We recommend you backup your data on an external hard drive and reset Windows on your computer. For instructions, see https://support.microsoft.com/en-us/help/12415/windows-10-recovery-options

Recap of Compromise / Full Disclosure

On Sunday, July 15th, 2018, is came to our attention that GitHub User GeorgeH93 (https://github.com/GeorgH93) had reported a compromised version of the ARK Desktop Wallet (https://github.com/ArkEcosystem/desktop-wallet/issues/607)

The user reported a mismatched checksum on the official installer download. On initiation, the compromised installer attempted to install a new root certificate associated with Binance.

Upon notification, the ARK team immediately removed the downloads in question and verified that the compromise did not impact the remaining versions of the installer.

The following were affected versions:

• 1.6.0 Windows 32-bit Installer
• 1.6.0 Windows 64-bit Installer

The incident is still under review by our team and we are reaching out to GitHub for assistance in tracking down additional details surrounding the compromise.

Initial review shows that the incident was caused due to the compromise of an ARK developer’s GitHub account.

The ARK team member was in South Korea attending the Korea Blockchain Summit and had utilized the hotel supplied WiFi network while attending the conference. The exact method of compromise has yet to be determined, and we will pursue all avenues to determine what additional actions — if any — the attacker may have taken after gaining access to the developer’s accounts.

According to GitHub logs, the compromised installers were uploaded and replaced at approximately 14:36:32Z on 15th July 2018 and 14:38:36Z on 15th July 2018. Between the time of the compromise and our removal of the installers in question, the 32-bit Installer was downloaded 11 times and the 64-bit installer 46 times.

The following original SHA256 hashes for Windows 32-bit and Windows 64-bit versions of Ark Desktop Wallet 1.6.0 are considered genuine:

Windows-x86 (32 bit version)

c8d776cdb2d724fa3bce2b88ee2f601418cca9fc7163861f5326b0640cc5c916

Windows-x64 (64 bit version)

0bb7f8e7238729a9b60e9110a34646ac7f7416831a4f0584678ab9d993746e43

If you have downloaded any Windows version of the desktop wallet installer in the past few days we strongly encourage you to check file hashes by uploading the .exe associated with the installer to VirusTotal.com and checking the SHA-256 hash supplied by VirusTotal against the ones listed above. They should match. If they do not match, you have downloaded a compromised installer.

At this time, our primary concern is safeguarding the accounts of our users. The following are steps you can take to ensure that your ARK desktop wallet is safe to use and how to protect yourself in the future should an event like this take place:

1. Validate the SHA256 hash value of your installer and ensure it matches the official client hash value.
2. If the values do NOT match, please reach out to the ARK team at security@ark.io for additional instructions so that we can walk you through the process of removing any malicious files.
3. Enable 2-Factor Authentication on all relevant accounts. This goes for Email, Social Media, crypto exchanges, or any other account that will allow it. 2FA will help prevent compromise of your accounts by any one single method. If someone gains access to your account credentials, they would still need your phone or 2FA device in order to gain access to your account.

In addition, we have identified several policy implementations that will help prevent future compromise of both our systems and our team members.

1. Effective immediately, ARK has reviewed and instituted GitHub’s built in requirement to force all team members to enable 2FA in order to gain access to our repositories (https://help.github.com/articles/requiring-two-factor-authentication-in-your-organization/).
2. We are currently reviewing our internal security policy and have begun the process of re-assigning what access members of the team have to specific functions and repositories. This will limit the number of members of the team who have access to certain critical functions that could create additional vulnerabilites in the future (https://help.github.com/articles/repository-permission-levels-for-an-organization/).
3. ARK will be addressing any potential vulnerabilities that can lead to this kind of compromise as well as the proposed solutions as we continue to review the specifics of what happened. We will be spending time reviewing proper security procedures with all members of the team over the course of the next several weeks and will work to ensure that compromises like this are avoided as much as possible in the future.
4. Since the Desktop Wallet releases are the most prominent targets for an attack, we have developed a special tool that checks for any changes in the releases of the Desktop Wallets on the GitHub repository which instantly lets us know if something changes.
5. For all future releases, we will also cross-post the hash values to the blog announcement to allow for multiple sources of verification, starting with the re-release of the clean version of 1.6.0.

We are grateful to our community for their continued support, and would especially like to thank GeorgeH93 (https://github.com/GeorgH93) for reporting this issue. We will be issuing a monetary award as part of our security bounty program for his quick and thorough disclosure.

Please keep in mind, as best as we can tell, no accounts have been compromised at this time. Please help us spread the word and ensure all users take precautions immediately to avoid any potential loss of funds.

Thank you for your continued trust and your commitment to our collective success.