BSV
$67.89
Vol 223.28m
0.11%
BTC
$98496
Vol 125556.68m
4.45%
BCH
$490.79
Vol 2343.97m
12.9%
LTC
$90.67
Vol 1445.07m
9.78%
DOGE
$0.38
Vol 9675.57m
3.94%
Getting your Trinity Audio player ready...

In a recent article written as a how-to, Medium blogger Paris Cormier described a set of instructions on how to successfully infiltrate a Ledger wallet. The instructions, which followed a fully-detailed Docdroid.netdisclosure,were posted for educational purposes to prevent the hack from being replicated and protect users who may fall victim to it.

The hardware wallet company acknowledged this vulnerability in their product with a tweet claiming that the “man in the middle attack” can be mitigated by verifying the receive address on the device’s screen. This is done by clicking the “monitor button” found in the wallet’s interface.

Following a report from news.bitcoin.com last month in which a man’s life savings were stolen from a hardware wallet supplied by a reseller, the news that Ledger’s hardware wallets are vulnerable has been met with anger from cryptocurrency users. The man described in the report is Redditor u/moodyrocket, who claimed that he has “[…] not used my Ledger in a week, today I decide to check the value of my XRP, Litecoin and Dash only to discover that all of them showed up as zero and had been transferred somewhere else yesterday all around the same time at 7:30pm. I am not sure how this is possible as I have not access my Ledger in a week.”

Cormier’s guide describes Ledger wallets as “one of the many that generate new public keys for each receiving transaction.” Such transactions are done by executing JavaScript code which runs from the client-side. According to the guide, “This means that malicious code can easily replace the automatically generated receiving address with a hacker’s.”

Given how public keys are changed regularly, users may not suspect any issues that would arise from this process. Users also have no viable method to verify the validity of the receiving address, without resorting to external or third-party applications to manually verify addresses.

Here’s an illustration of the hack as posted by @LedgerHQ on Twitter:

Recommended for you

Blockchain enables autonomous AI agents to learn
Utilizing blockchain tech, a group of Belgian scientists enabled autonomous AI agents to learn and communicate securely, contributing to the...
September 17, 2024
WhatsOnChain gets own UTXO endpoints for BSV blockchain services
With ElectrumX set to retire in October, WhatsOnChain is gearing up to implement a new UTXO set of API endpoints,...
September 16, 2024
Advertisement