A backdoor that steals the bit user's coin is charged by open source code modification



It became clear that there was an attempt to steal the user's Bitcoin (bit coin) by putting a backdoor in the virtual currency wallet using the open source code library. This case is a crisis situation of supply chain attacks on open source software.

I do not know what to say. · Issue # 116 · dominictarr / event-stream · GitHub
https://github.com/dominictarr/event-stream/issues/116

Widely used open source software contained bitcoin - stealing backdoor | Ars Technica
https://arstechnica.com/information-technology/2018/11/hacker-backdoors-widely-used-open-source-software-to-steal-bitcoin/

The backdoor that steals the user's bit coin was set up by "Bit Coin Wallet App" " Copay ". GitHub users reported the possibility that a backdoor was put in the code library " event-stream " used in the Copay application, and the code was verified.

As a result of the verification, we found that there is a problem with the module called "flatmap - stream" newly introduced in version 3.3.6 of event - stream published on September 8, 2018. Flatmap-stream itself when version 3.3.6 was released was not vulnerable, but on October 10, 2018 backdoor was installed by following the two-step procedure that malicious code was included in flatmap-stream It is said that it was. This backdoor was aimed at the bit coin wallet developed by Copay and was designed for the purpose of stealing bit coins possessed by Copay application users.


From the volunteers who raised problems on the GitHub bulletin board, the insertion of a malicious code was pointed out to Copay, but until October 11, 2018, Copay did not correspond. Originally, it was Copay, which claimed that "an event-stream containing malicious code was not introduced in all released Copay applications", but on November 26, 2018 the Copay application Version 5.0.2 through 5.1.0 are adversely affected by the backdoor and users of these versions are asked not to run the application until updating to the latest version 5.2.0.

Statement on NPM Package Vulnerability in v 5.0.2 - 5.1.0 of Copay Wallets
https://blog.bitpay.com/npm-package-vulnerability-copay/

According to stakeholders of package management tool NPM hosting event-stream, the vulnerability found this time is not targeted to general module developers, but a part of developers of Copay having a specific development environment He said he was targeting. And it seems that there was a feature that the installed vulnerability did not work on the developer's computer and it was packaged by the end user's application when the developer released the application. I know that it was difficult.

In the discussion of the GitHub bulletin board, it has been pointed out that developers who developed event-stream for many years received help from unknown developers several months ago because there was no time to provide the update program. Open source software is an unspecified number of developers involved and will be improved, so even if a malicious person secretly puts malicious code in it, it can be enough not to miss this. Rather than writing all the code by the developer himself, in the situation where new and outstanding software is rapidly developed by using already existing excellent third party components, we aim at the open source supply chain It seems that response to cyber attacks will become increasingly difficult.

in Software,   Security, Posted by darkhorse_log