Home Technology Security Flaw in Everscale’s Wallet could have given Attacker Control of Funds
Our website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Security Flaw in Everscale’s Wallet could have given Attacker Control of Funds

by uma
gawdo

 

Check Point Research (CPR) identified a security vulnerability in Everscale’s blockchain wallet. If exploited, the vulnerability would have given an attacker full control over a victim’s wallet and subsequent funds. The vulnerability was discovered in the web version of Everscale’s wallet, known as Ever Surf. Available on Google Play and Apple iOS Store, Ever Surf is a cross-platform messenger, blockchain browser, and crypto wallet for the Everscale blockchain network. Reported to conduct 31.6 million transactions and have over 669,000 accounts worldwide, Everscale is a smart contract platform based on Telegram’s predecessor TON blockchain project.

  • CPR proves it was possible for an attacker to decrypt private keys and seed phrases
  • Decryption takes just a couple of minutes on a consumer grade hardware
  • CPR urges caution when dealing with crypto currencies

Check Point Research (CPR) identified a security vulnerability in the Everscale blockchain wallet. If exploited, the vulnerability would have given an attacker full control over a victim’s wallet and subsequent funds. The vulnerability was discovered in the web version of Everscale’s wallet, known as Ever Surf. Available on Google Play Store and Apple’s App Store, Ever Surf is a cross-platform messenger, blockchain browser, and crypto wallet for the Everscale blockchain network.

The Everscale blockchain network has conducted 31.6 million transactions and boasts over 669,000 accounts worldwide.

Attack Methodology

By exploiting the vulnerability, it was possible for an attacker to decrypt the private keys and seed phrases that are stored in the browser’s local storage. CPR outlined the potential attack methodology as follows:

  1. Get encrypted keys of the wallet. Usually, attackers utilizes malicious browser extensions, infostealer malware or just phishing to get keys
  2. Decrypt the keys by running a simple script. With the help of discovered vulnerability, decryption takes just a couple of minutes on a consumer grade hardware
  3. Steal funds from the wallet

Responsible Disclosure

CPR disclosed the vulnerability to Ever Surf developers, who then released a desktop version that mitigates this vulnerability. The web version is now declared deprecated and should only be used for development purposes. Seed phrases from accounts that store real value in crypto should not be used in the web version of Ever Surf. Ever Surf issued a statement that can be read in CPR’s technical publication.

Quote: Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software:

“We discovered a vulnerability in the popular Everscale blockchain wallet, due to which the wallet keys can be easily decrypted by an attacker. Having the keys means full control over victim’s wallet, and, therefore funds. Everscale is the technological successor of the TON network, which was developed by the Telegram team. At the same time, Everscale is still in the early stages of development. We assumed that there might be vulnerabilities in such a young product. We were also curious how key protection is implemented in the most popular wallet for this blockchain. CPR’s proof of concept  presents several attack vectors that can lead to an attacker obtaining private keys and seed phrases in clear text, which can then be used to gain full control over the victim’s wallet.

When working with cryptocurrencies, you always need to be careful, ensure your device is free of malware, do not open suspicious links, keep OS and anti-virus software updated. Despite the fact that the vulnerability we found has been patched in the new desktop version of the Ever Surf wallet, users may encounter other threats such as vulnerabilities in decentralized applications, or general threats like fraud, phishing.”

Cyber Safety Tips

We would like to remind you that blockchain transactions are irreversible. In blockchain, unlike a bank, you cannot block a stolen card or dispute a transaction. If the keys for your wallet are stolen, your crypto funds can become easy prey for cybercriminals, and no one can help to return your money back. To prevent theft of the keys, we recommend:

  • Do not follow suspicious links especially if they received from strangers
  • Keep your OS and anti-virus software updated
  • Do not download software and browser extensions from unverified sources

 

 

www.gawdo.com

You may also like