[Newsflash] Several Bitcoin Wallets Possibly Hacked by Rogue Developer, BitPay Becomes Focal Point
It’s been a rough month for the crypto industry – and now it has become even rougher. It appears that several major bitcoin wallets have been compromised by a rogue developer.
A Node.js module called event-stream was reportedly compromised. The issue was spotted by Github user deanveloper, who posted the issue on Github early on Monday. The event-stream problem itself was discussed last week on Github, although the connection to bitcoin wallets wasn’t discovered until earlier today.
This is a big deal. The event-stream Node.js module is used by millions of web applications. In the crypto community, it’s used most notably by BitPay’s open-source bitcoin wallet, Copay.
Now, that code is compromised, which means the millions of users of the event-stream Node.js module are similarly compromised – including anyone who uses BitPay’s open source bitcoin wallet, Copay.
How Did the Attack Occur?
Making things look worse is that the hack appears to have been caused by a mix of social engineering, laziness, and incompetence. The hack was spotted when a user with limited coding activity on Github requested publishing rights to the event-stream library from its previous maintainer, Dominic Tarr.
Dominic Tarr inexplicably accepted this transfer of publishing rights. Tarr claims he had not maintained the repository in years. The new user, right9ctrl, now had publishing rights over event-stream.
According to a complaint on Github, the new maintainer then injected malware into the event-stream.
It’s not clear if right9ctrl acted maliciously or incompetently. Something was, however, added to the code that would leak private keys from applications that used the event-stream and copay-dash modules. The addition appears to be malicious because it specifically targeted bitcoin wallets.
Here’s how one developer, Ayrton Sparling, explained the issue:
“He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting ps-tree. After he adds it at almost the exact same time the injection is added to flatmap-stream, he bumps the version and publishes. Literally the second commit (3 days later) after that he removes the injection and bumps a major version so he can clear the repo of having flatmap-stream but still have everyone (millions of weekly installs) using 3.x affected.”
In more straightforward terms, here’s what happened: the new event-stream maintainer, right9ctrl, updated the module with malware and then patched over the problem to avoid detection.
This has caused a number of people who have already installed it to remain affected.
Copay and Other Bitcoin Wallets Are Likely Affected
The attack has affected Copay and other major bitcoin wallets. Copay’s open source code is used by many crypto applications as well, so it has the potential to affect far more than just bitcoin wallets.
There’s a possibility that BitPay, one of the world’s largest bitcoin payment processing companies, was also affected by this attack. BitPay built and maintained Copay.
“If you are using anything crypto-currency related, then maybe [you are affected] wrote one developer on Github in response to the issue.
“This is a much bigger issue than just BitPay,” wrote open source developer Brian Hoffman on Twitter in response to the issue.
You do know how many products and services do this? This is a much bigger issue than just BitPay.
— Brian Hoffman (@brianchoffman) November 26, 2018
“As discovered by @maths22, the target seems to have been identified as copay related libraries. It only executes successfully when a matching package is in use (assumed to by copay at this point). If you are using a crypto-currency related library and if you see [email protected] after running npm ls event-stream flatmap-stream, you are most likely affected.”
That developer later asked Dominic Tarr, the original maintainer of event-stream, why he granted maintainer access to the new user, right9ctrl.
Soon after receiving access, right9ctrl added flatmap-stream and then attempted to hide the addition with a quick patch:
“Why was @right9ctrl given access to this repo? He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting ps-tree. After he adds it at almost the exact same time the injection is added to flatmap-stream, he bumps the version and publishes. Literally the second commit (3 days later) after that he removes the injection and bumps a major version so he can clear the repo of having flatmap-stream but still have everyone (millions of weekly installs) using 3.x affected.”
Conclusion: Why Do We Trust Millions of Dollars in Payment Processing to Open Source Software?
This latest bug could change the way crypto companies use open source software. Crypto companies process millions of dollars of customer payments while relying on open source platforms. Sometimes, that’s the best way to do business. In other cases, like today, it exposes major companies to a serious vulnerability.
The problem is with the software companies using upstream open source software – the problem is not with the upstream developers themselves. Companies like BitPay save money by not directly developing their own libraries. However, they also get exposed to problems like this. It’s a double-edged sword.
Here’s what P.H. Madore at CCN.com had to say about the bitcoin wallet vulnerability issue:
“This model works for major software development, and this author believes that there is no reason it shouldn’t be applicable here. Rightfully, BitPay should arguably not be using software on a trust basis. Millions upon millions of dollars in client wallets are being entrusted to them, not upstream developers. If BitPay is not interested in actively developing libraries like event-stream, then they should use forked versions, verifying that each update is safe. Instead, as many industry stakeholders have alleged, they’ve demonstrated incompetence.”
Essentially, BitPay is relying on upstream dependencies while also trusting that any of the upstream developers and maintainers will never inject malicious code. You could argue that it’s a system doomed to fail from the start – especially when millions of dollars is being processed using the upstream dependencies.
It’s unclear how many wallets have been affected by this latest breach. Stay tuned for more information as this event-stream bitcoin wallet hack story continues to unfold.