{"id":12980,"date":"2018-11-27T00:00:00","date_gmt":"2018-11-26T16:00:00","guid":{"rendered":"https:\/\/www2019.dash.org\/2018\/11\/27\/dash-is-not-affected-by-the-bitpay-copay-attack\/"},"modified":"2021-09-18T11:36:27","modified_gmt":"2021-09-18T11:36:27","slug":"dash-not-affected-copay-attack","status":"publish","type":"post","link":"https:\/\/wp.dash.org\/news\/dash-not-affected-copay-attack\/","title":{"rendered":"Dash is not affected by the BitPay Copay attack"},"content":{"rendered":"
Good day everyone !<\/p>\n
You might have seen the news on GitHub, Twitter, ZDNet, and various other places on the net.
\nThe whole JavaScript ecosystem discovered an attack targeting BitPay\u2019s Copay product.In order to be sure the compromised package was included in Copay during the building phase, the attacker had to spread an ingenious, obfuscated and malicious code across the whole ecosystem.This malicious code was looking for a description of a package (bunch of code that works as libraries to enhance programmer\u2019s productivity) that had the specific message, \u201cA Secure Bitcoin Wallet\u201d, and used that as a decryption key to unveil and execute the dormant code.<\/p>\n
This matched two projects: Copay, and our first fork of copay created 2 years ago while Dash was studying the idea of using Copay as a foundation for DashPay. We did not pursue this idea further, and that project was never used.<\/p>\n
The Dash Copay Beta that we worked on and released was not targeted and therefore won\u2019t manage to steal your funds.<\/p>\n
\u200b<\/p>\n
Here is the exact naming thing that got everyone (including ZDNet at one point) confused:<\/p>\n
\u200b<\/p>\n
So, what happened ?<\/p>\n
I\u2019ve been looking at it, thanks to a message from Bitpay.<\/p>\n
I want to first say how grateful I am to BitPay; they were blazing fast in sharing with us this information, which allowed us to get in touch with ZDNet and clear all suspicions on Dash.<\/p>\n
\u200b<\/p>\n
And secondly for all the foundations they paved, theses packages remain open-source which means that if you do not maintain them, they get outdated, with issues and vulnerabilities. And in this case, I think that the Bitcoin community would benefit from grouping together and starting a Patreon (or forking our governance system) to fund some devs to be able to keep everything up-to-date, to be able to verify the dependencies, and to be able to improve and reduce their dependencies.<\/p>\n
\u200b<\/p>\n
So that should be cleared up: This attack targeted everyone, people from React, Vue, Nodemon, from the Node Security team or the Google Security team, experts in their domain also didn\u2019t notice it, because it\u2019s finding a needle in a haystack.So clearly, it\u2019s not about BitPay, but it\u2019s good warning for all of us to improve our package dependency strategy and review processes.<\/p>\n
\u200b<\/p>\n
On the 20th of November, a CS Student found that a package included some strange code. He found a code that he couldn\u2019t really understand, but that is known by most of the crypto community devs (JS).He immediately understood that it was malicious, but it took the community time to get the information, and given the control that the attacker had, we are lucky he didn\u2019t or couldn\u2019t remove the GitHub issue\u2026No fault on that\u2013as a Student, did you know who to contact when you found malicious JS code? (FYI to all CS students: https:\/\/nodejs.org\/en\/security\/ is also to be used for third-party vulnerabilities)<\/p>\n
\u200b<\/p>\n
This code, present in a minified file, but not in the regular file (the one people actually read), was trying to decipher an aes256 ciphered message that was first turned into a hexadecimal string. The decryption key is the npm_package_description, all packages have one, but Copay specifically has \u201cA Secure Bitcoin Wallet\u201d. How did they find that? Well, by iterating all packages descriptions available (and there are a lot of them).<\/p>\n
\u200b<\/p>\n
When you enter this passphrase, you then get the code that is injected. This injection as explained before, targets your private keys, requires another package to do that (bitcore-wallet-client), and will then send that information to either:<\/p>\n
\u200b<\/p>\n
Because Dash Copay does not use \u200b<\/p>\n This is a good reminder for us that our decision to limit our dependencies is the right one. It doesn\u2019t help our productivity, but it will benefit the security of our Javascript libraries.<\/p>\n \u200b<\/p>\n So in the end, this attack specifically targeted the BitPay Copay App from 5.0.2 to 5.1.0.<\/p>\n","protected":false},"excerpt":{"rendered":" Good day everyone !<\/p>\r\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":"","_links_to":"","_links_to_target":""},"categories":[216],"tags":[],"class_list":["post-12980","post","type-post","status-publish","format-standard","hentry","category-news"],"acf":[],"yoast_head":"\nbitcore-wallet-client<\/code>, and doesn\u2019t have the same description, we were not targeted. The attacker has targeted Bitpay Copay implementation having bch \/ btc. They didn\u2019t care at all about trying to target other implementations like Dash.<\/p>\n