BitPay releases security update after its Copay Bitcoin wallet was compromised
BitPay announced that its Copay wallet was compromised and someone managed to inject malicious code into versions 5.0.2 through 5.1.0. However, the BitPay app itself was not affected. The crypto payments services provider has asked users to not run or open the Copay app if they are using versions from 5.0.2 to 5.1.0, according to a statement on its official blog.
“We are still investigating whether this code vulnerability was ever exploited against Copay users,” the company wrote, adding that it has rolled out a security update version (5.2.0) that will soon be available for Copay and BitPay wallet users in app stores.
The company cautioned its users to treat their private keys as compromised, because of which they should immediately move their funds to the new wallets (v 5.2.0).
“Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0,”BitPay said.
How did it happen?
Many web apps, including BitPay’s open-source Bitcoin wallet Copay, use a Node.js module known as event-stream. This module had reportedly been compromised. Earlier, a developer – with the handle right9ctrl – had requested for publishing rights to the event-stream library from Dominic Tarr, who used to maintain the library. Tarr responded by saying that he had not maintained the repository in years and gave the control of the code repository to the user.
The developer possibly injected malware or unknowingly created the same effect, according to a complainant on GitHub. The developer’s actions compromised users’ private keys from apps that used the event-stream and copay-dash modules.
The issue was then quickly resolved in a new release. Though the malicious code was reportedly flagged around six days ago in the original repository, but it only came to the fore when the code targeted the app Copay. The issue was shared by BitPay earlier today.
The malicious code was flagged in the original repository six days ago but only understood more recently as it specifically targeted the app Copay, a cryptocurrency wallet developed by the bitcoin payment processor BitPay.