Universal Labs
Dec 7, 2018 · 2 min read

This attack is specifically targeting Copay wallet, and other wallets won’t be affected by this. The event-stream version with malicious code is 3.3.6, and the Ubbey APP uses 3.1.7.

Background:

1. event-stream is a widely used npm for processing node.js stream data in the open source community, with a weekly download volume of 1.65 million;

2. The original author @dominictarr maintains many open source projects at the same time, and this project has been ceased.

Attack Steps Review:

1. Hacker @right9ctrl sent an email to @dominictarr requesting the maintenance of the project and the permission to upload npm, and obtained the author’s consent;

2. The hacker submited the first version 3.3.6, which relies on a new module flatmap-stream and uploaded npm, which does not contain malicious code;

3. @right9ctrl upgraded event-stream to 4.4.0, and removed the dependency on flatmap-stream, everything looks normal so far;

4. The hacker uploaded the malicious version of flatmap-stream@0.1.1. Due to the vpn relies on the auto upgrading, the app further developed based on the version 2 will contain malicious code.

Malicious code logic:

1. Introduce code in flatmap-stream and check if it is Copay then execute the stealing logic;

2. Copay will generate a file called profile in the user directory, which is used to store the user’s public key, the balance and other information to read and store the wallet information that meets the stealing conditions;

3. Rewrite the Credentials.prototype.getKeys method to override the original method. Copay uses this method to get the user’s private key. Adding a logic to the original logic. If the condition 2 is met, the private key and the public key are sent to the specified server. The above is just the explanation of the logic. In fact, a lot of confusing information, encryption and decryption operations have been added to prevent the abnormality from being discovered.

The wallet inside Ubbey App bears no such risk, anyone who claims UBBEY loss caused by this hack will be regarded as fraud.

Universal Labs

Universal Labs is aiming to develop the next generation internet protocols and dapps.

Universal Labs

Written by

www.ubbey.org | www.ubbey.com

Universal Labs

Universal Labs is aiming to develop the next generation internet protocols and dapps.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade