Security Update — An Analysis of Copay Hack
This attack is specifically targeting Copay wallet, and other wallets won’t be affected by this. The event-stream version with malicious code is 3.3.6, and the Ubbey APP uses 3.1.7.
Background:
1. event-stream is a widely used npm for processing node.js stream data in the open source community, with a weekly download volume of 1.65 million;
2. The original author @dominictarr maintains many open source projects at the same time, and this project has been ceased.
Attack Steps Review:
1. Hacker @right9ctrl sent an email to @dominictarr requesting the maintenance of the project and the permission to upload npm, and obtained the author’s consent;
2. The hacker submited the first version 3.3.6, which relies on a new module flatmap-stream and uploaded npm, which does not contain malicious code;
3. @right9ctrl upgraded event-stream to 4.4.0, and removed the dependency on flatmap-stream, everything looks normal so far;
4. The hacker uploaded the malicious version of flatmap-stream@0.1.1. Due to the vpn relies on the auto upgrading, the app further developed based on the version 2 will contain malicious code.
Malicious code logic:
1. Introduce code in flatmap-stream and check if it is Copay then execute the stealing logic;
2. Copay will generate a file called profile in the user directory, which is used to store the user’s public key, the balance and other information to read and store the wallet information that meets the stealing conditions;
3. Rewrite the Credentials.prototype.getKeys method to override the original method. Copay uses this method to get the user’s private key. Adding a logic to the original logic. If the condition 2 is met, the private key and the public key are sent to the specified server. The above is just the explanation of the logic. In fact, a lot of confusing information, encryption and decryption operations have been added to prevent the abnormality from being discovered.
The wallet inside Ubbey App bears no such risk, anyone who claims UBBEY loss caused by this hack will be regarded as fraud.
