BitPay Warns Users to Move Funds to New Wallets Amid Malicious Code Outbreak
Global Bitcoin payment service BitPay has warned customers of a vulnerability on a third-party NodeJS package used by the Copay and BitPay apps which could be used to capture users’ private keys. The company said the malicious code was deployed on versions 5.0.2 through 5.1.0 of its Copay and BitPay apps. BitPay recommended users to move funds to new wallets immediately as private keys are potentially compromised.
BitPay Investigates Whether Code Vulnerability Exploited Copay Users
BitPay is currently investigating the matter as to whether Copay users suffered from any attack purported the malicious code, the company said in a statement.
“Currently, we have only confirmed that the malicious code was deployed on versions 5.0.2 through 5.1.0 of our Copay and BitPay apps. However, the BitPay app was not vulnerable to the malicious code. We are still investigating whether this code vulnerability was ever exploited against Copay users.”
The Bitcoin payment service warned customers not to use any infected Copay versions before running a security update provided by BitPay in the app stores.
“Our team is continuing to investigate this issue and the extent of the vulnerability. In the meantime, if you are using any Copay version from 5.0.2 to 5.1.0, you should not run or open the app. A security update version (5.2.0) has been released and will be available for all Copay and BitPay wallet users in the app stores momentarily.”
Additionally, BitPay recommended users to move funds to new wallets (v5.2.0) immediately as private keys could be compromised. The Atlanta-based firm warned users not to import affected wallets’ backup phrases as they too may be compromised.
“Users should not attempt to move funds to new wallets by importing affected wallets’ twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.”
BitPay found out about the malicious payload via a Copay GitHub issue report. According to comments on GitHub, the malware “was really sneaky, and only triggering the upload of the private keys for wallets that had genuinely over 100 BTC in there”. BitPay and its users were lucky this time but should be prepared for future attacks, according to GitHub user atomantic.
“Narrowly escaped a mass theft/liquidation event. Network egress monitoring would be good to add to automated tests if not already part of the build validation process.”
In April 2018, BitPay issued a warning of a trojan horse called Coinbitclip which has affected some purchases using Bitcoin processed by the payment service. The trojan did not infect any specific Bitcoin wallet or payment system, but individual Windows users only, similarly to most types of ransomware.
Image from Shutterstock
Token of Your Real Estate Opportunity
Thriving the Cryptocurrency Market with CRYPTOBONDS
Blockchain meet social network
Decentrelized platform for fashion industry
logistical solution for markets and supply chains
payment system for cryptocurrency
Small Business Financial Services Platform
The intelligent retail currency protocol
An All-in-One Crypto Experience
Comprehensive Global Digital Startup Ecosystem
Platform based on blockchain
blockchain-based land marketplace
Platform based on blockchain
Ultra low-cost renewable electricity
Trade finance market place
Blockchain-based gastro platform
Digital Money System
A Decentralized Delivery Platform
Platform to build Social Media on the blockchain
Evolution is coming!
Platform to build on Blockchain
Platform for automation of property and car renting
blockchain gaming platform
Fintech company that is building a base protocol to solve the payments challenges of today
Finance Blockchain Infrastructure
blockchain platform for online payments
Business advisory platform
Eco-system Powered by Ethereum Blockchain.