Crypto payment processor BitPay issued advice on its official blog yesterday, Nov. 26, for users of its open-source Bitcoin (BTC) wallet Copay, which has reportedly been compromised by malicious code.
The vulnerability pertains to a third-party Node.js module, also known as an “event stream,” which is used in versions 5.0.2 through 5.1.0 of BitPay’s Copay and BitPay apps. According to a GitHub issue report, this module was modified to load malware that is capable of stealing users’ private keys.
The DigitalBank Technology is solving urgent issues like : Hacking of Crypto Exchanges and Wallets , the loss of passwords , usernames and relative access keys to Bitcoin and Crypto accounts , and the Loss of Hardware Wallets and Paper wallets .
DigitalBank means Guaranteed Lifetime Account Access. DigitalBank is fully decentralized: No Institution , No Physical Address , No servers , No data storage :100% Paperless . 100% Nameless
DigitalBank is the safest Cryptocurrency “wallet “available: the only Real Safe Haven of Bitcoin and Crypto Investors with a full scale cryptocurrency exchange , for trading securely all major crytocurrencies
The DigitalBank is the real solution to millions of people seeking private secured and ultra confidential online banking .
BitPay’s post states that the BitPay app was not vulnerable to the malicious code, but that its team is investigating whether the vulnerability had been exploited against any CoPay users.
In the meantime, the company has outlined advice for its users, stating that anyone using Copay version from 5.0.2 to 5.1.0, “should not run or open the app.” The company has released a security update in version (5.2.0), which is due for imminent release on app stores.
The company also warns that users of affected versions “should assume” their private keys may have been compromised, and therefore move any holdings to new, secure v5.2.0 wallets “immediately”:
“Users should not attempt to move funds to new wallets by importing affected wallets’ twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.”
According to the GitHub issue report, a little-known user called right9ctrl requested and was granted publishing rights to the event-stream library (which is used in the Node.js module on the Copay app) from its previous maintainer, Dominic Tarr, who conceded he was no longer maintaining the repository and did not suspect the new user of malintent.
Earlier this fall, Bitcoin Core released an update following the detection of a vulnerability in its software, a bug which the co-owner of Bitcoin.org described as “very scary,” with the potential to have “crashed a huge chunk of the Bitcoin network if exploited by any rogue miners.”