How BitPay is Securing the Copay and BitPay Wallets: NPM and Networking Security Updates for v5.3.1

The NPM Vulnerability

On November 26th, BitPay was made aware of malicious code in the Copay wallet (the BitPay wallet was not vulnerable) that was trying to capture the private keys of BitPay and Copay wallets. The malicious code was loaded into the Copay wallet through a modified NPM dependency. The malicious code was deployed on versions 5.0.2 through 5.1.0 of our Copay and BitPay apps.

Once we learned of this, our developers quickly fixed the Copay wallet in version 5.2.0. Because versions 5.0.2 through 5.1.0 of Copay were vulnerable to the malicious code, we issued an announcement warning our users to not open or run affected apps and to move their funds to wallets on the new secure Copay version.

BitPay’s Updates

But if we had left things at a fix and an announcement, then you shouldn’t trust to build your wallet. Our developers were hard at work in the next week making long-term improvements to the of the Copay and BitPay wallets. All of these updates are now live as of Copay v.5.3.1

Reducing Dependency Risk

First, we have now locked our dependency tree. This means that, aside from patches made to our dependencies, we will only be updating our software dependencies when a new major version of Copay or BitPay is released. This makes it easier to review dependencies in our codebase before those changes go live for our users. It is usually over one month between our and production releases.

Locking Down Network Connections

Second, BitPay has restricted network connections on our wallets. The actor who introduced the malicious code via the vulnerability was trying to steal private keys from wallet users and send them to a specific URL. By restricting the URLs that the Copay and BitPay apps can interact with, we make it harder for this kind of attack to work even if an attacker found their way into our codebase.

These are the updates and changes that are currently live for the Copay and BitPay apps. We’re continuing to think of additional ways to make our wallets even more secure, and as those updates come out, we’ll let you know.

If you’re interested in a wallet that takes seriously, download version 5.3.1 of the BitPay or Copay apps (the Copay wallet is currently only available through APK for Android).

If you’re a developer and interested in helping with Copay, you can check out our GitHub page.

Post written by our friend Charles Pustejovsky and Syndicated from
Ledger Nano S - The secure hardware wallet

Syndicated from

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.