Liquality developer Mohammed Nokhbeh has discovered a vulnerability in the Ledger hardware wallet that leads to the withdrawal of bitcoins instead of altcoins.
The developers have submitted a report in which they described how the attack works. The attacker creates an imaginary transaction with any altcoins, during which bitcoins are debited from users. For example, a trader may have the impression that he is sending 0.01 LTC, but in fact 0.01 BTC will be sent from his wallet.
Nohbeh added that Ledger hardware wallets support multiple cryptocurrencies with dedicated apps for each asset, but only one app can be activated. It turned out that external applications can access data about other cryptocurrencies even from inactive applications. The researchers found that by exploiting the vulnerability, if a user opens an application for LTC, they receive a request to confirm a Bitcoin transaction, even if they are not using this asset. In this case, the interface will display data for making a deal with LTC. Upon confirmation of such a request, a full signed transaction will be made on the Bitcoin network.
According to the developers of Liquality, Ledger was notified of this vulnerability back in January last year, but has not fixed the problem. However, Ledger said it always carefully reviews all of the researchers' comments. According to Ledger, the developers of Liquality may have sent a report of the identified problems to other departments that are not involved in fixing bugs. Commenting on the Liquality report, Ledger acknowledged that the Bitcoin application is becoming available when dealing with other cryptoassets. The wallet manufacturer explained this by supporting forks of bitcoin and other cryptocurrencies created on the basis of the bitcoin blockchain and having a common history.
“Some bitcoin forks use the same derivation paths as bitcoin. Without them, people simply won't be able to use Ledger Nano S / X wallets to work with these coins. Developers will have to choose between security and usability so that customer funds are not blocked, ”explains Ledger.
Ledger has announced that it will soon release a new version of the Bitcoin app. If a different withdrawal path is used, users will be notified.
Last month, experts from Kraken Security Labs talked about new opportunities for a firmware change attack on Ledger Nano X hardware wallets, but this issue has already been fixed.