Pretty much every developer uses some third-party libraries \u2014 with millions of developers sharing their creations with the world, leveraging existing modules to help solve your tasks is a smart use of time. But using somebody else\u2019s code means trusting the developers of that code. BitPay, developers of the Copay cryptowallet, recently ran up against the shortcomings of using open-source third-party assets.<\/p>\n
Copay<\/a> is basically a multiplatform Bitcoin\/Bitcoin Cash cryptocurrency wallet<\/a> that allows users to create shared wallets. Copay is developed using JavaScript, and it relies on a lot of third-party open-source libraries.<\/p>\n One of those is an open-source Node.js module called event-stream<\/em><\/em>. Its repository on the version control service GitHub was maintained by a developer who had lost interest in the project long ago and hadn\u2019t really taken part in the repository\u2019s fate in several years. So, when some other developer with little to no previous activity on GitHub approached him and asked whether he could have the admin rights to maintain the repository, the original developer gave that person access rights.<\/p>\n The new developer got right to work. First, the event stream<\/em> library began using a module called flatmap-stream<\/em> from the GitHub repository of the same developer. Then actor modified the module, adding some malicious code. Three days after the update, the said developer uploaded yet another version of flatmap-stream<\/em><\/em>, this one with no malicious code \u2014 probably to hide the malicious activities.<\/p>\n That is how the event-stream<\/em><\/em> library was compromised. It is widely used not only by BitPay, but also by many other companies. Supposedly, it remained compromised for just three days, but that was enough time for Copay\u2019s developers, who didn\u2019t realize it had been modified to carry a malicious payload, to include the updated version of the library in their project. The updated cryptowallet software was published on app shops and downloaded by many users.<\/p>\n Perhaps Copay\u2019s developers didn\u2019t want to invest much of their time in looking at the changes in the libraries they used. Nowadays, updating libraries that are used in a project is easily automated thanks to package management services such as npm. With npm, a developer can run a single command to update all third-party modules used in their project.<\/p>\n Even if the devs did take a look at the updated libraries, the malicious code would have been hard to find. Libraries used in a project can depend on other libraries (the way event-stream<\/em><\/em> depended on flatmap-stream<\/em><\/em>), and checking all of the dependencies can take a lot of time. In this particular case the process was additionally complicated by the fact that the flatmap-stream<\/em><\/em> module was encrypted.<\/p>\n According to CCN<\/a>, the flatmap-stream<\/em><\/em> library was modified to leak private keys (basically, cryptowallet passwords) from applications relying both on event-stream<\/em><\/em> and copay-dash<\/em><\/em> libraries. The latter suggests that this was a targeted attack against BitPay, the creators of Copay and the authors of copay-dash<\/em><\/em>. In this case, the keys would be leaked only if both libraries were used, and that would be true only in products based on Copay\u2019s code.<\/p>\n According to ArsTechnica<\/a>, the malicious payload allowed the malefactor to get unauthorized access to users\u2019 wallets and transfer funds from there. The flaw was discovered and reported<\/a> by a GitHub user. But before that, several versions of Copay wallets containing malicious code were distributed. BitPay eventually admitted the compromise and advised the customers who used Copay versions from 5.0.2 to 5.1.0 to upgrade to the latest version, 5.2.0. For now, no information on the number of affected users and the amount of money they\u2019ve lost is available.<\/p>\n This is a classic supply-chain attack, with a malefactor compromising a third-party library used by the developers of an app. The problem here stems from the use of open-source software, which is maintained by you-never-know-who. There\u2019s no guarantee that this software is functioning the way it was functioning several versions ago. Developers of open-source software are not to blame for that \u2014 they provide their products as-is, not guaranteeing a thing.<\/p>\n The tricky aspect in this case is that Copay is also open-source \u2014 and is widely used by developers of other cryptowallets. So the problem may be bigger.<\/p>\n Businesses making money from providing software (and especially software that is involved in transferring large amounts of money) should make sure that prior to release, their software undergoes security checks including very careful analysis with each new version of all third-party libraries used in their project.<\/p>\n Best practice is to take a look at the status of the repository, consider ratings from other developers, check how often the project has been updated as well as how long it\u2019s been since the last update, and browse through the bug log. Any peculiarities may merit deeper investigation \u2014 or moving on to another module.<\/p>\n If something goes wrong with such a library, clients blame the company that provided the software that relies on the library, even if it\u2019s not them but the developers of the library to blame. Of course, we do not discourage using open-source products, but we advise staying very alert and being very careful when relying on them.<\/p>\n","protected":false},"excerpt":{"rendered":" A supply-chain attack against Copay cryptowallets through an open-source library enables bitcoin theft.<\/p>\n","protected":false},"author":675,"featured_media":12343,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1917],"tags":[374,1968,1505,1969,1758],"class_list":{"0":"post-12342","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-bitcoin","10":"tag-copay","11":"tag-cryptocurrencies","12":"tag-open-source","13":"tag-supply-chain"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/copay-supply-chain-attack\/12342\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/copay-supply-chain-attack\/14735\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/copay-supply-chain-attack\/16652\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/copay-supply-chain-attack\/14843\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/copay-supply-chain-attack\/13824\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/copay-supply-chain-attack\/17443\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/copay-supply-chain-attack\/16652\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/copay-supply-chain-attack\/21845\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/copay-supply-chain-attack\/5472\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/copay-supply-chain-attack\/24786\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/copay-supply-chain-attack\/10102\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/copay-supply-chain-attack\/18176\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/copay-supply-chain-attack\/22088\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/copay-supply-chain-attack\/21585\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/copay-supply-chain-attack\/21584\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/supply-chain\/","name":"supply chain"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12342","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/675"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=12342"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12342\/revisions"}],"predecessor-version":[{"id":14561,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12342\/revisions\/14561"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/12343"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=12342"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=12342"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=12342"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}