Ledger Library Compromised, Urgent Security Alert for Ledger Users
In a shocking turn of events, the widely used Ledger library has been compromised, posing a significant threat to the security of users’ funds. The breach has been identified as an infiltration by a malicious actor who replaced the legitimate library with a drainer script.
The vulnerability extends beyond the Ledger library itself, as the connect-kit-loader used by Ledger has also been found to be susceptible. The loader, specified with loose dependencies, opens the door for potential exploits. The list of affected parties is extensive, as indicated by the findings on GitHub and Sourcegraph.
The user interfaces of various decentralized applications (DApps), like Zapper, SushiSwap, Balancer, and Revoke.cash, experienced a security breach. Mathew Lilley, the chief technical officer of SushiSwap, revealed that a widely used Web3 connector, which many DApps rely on, was compromised. This allowed harmful code to be added to several DApps. The Ledger library, a crucial part of this system, confirmed the compromise, acknowledging that the vulnerable code had inserted the address of a harmful account, known as the drainer.
Attackers Exploit Loader Versioning, Compromising Numerous Libraries
Ledger recommends the use of connect-kit loader to load connect-kit, but even adhering to best practices may not be enough. Despite version pinning, the loader fetches the latest version of connect-kit between 1.0.0 and 2.0.0. Exploiting this, attackers have successfully compromised multiple libraries. The last known secure version from Ledger is 1.1.4, with three suspicious releases (1.1.5, 1.1.6, 1.1.7) posted today. All versions released after 1.1.4 are to be considered compromised.
In more simple words, Ledger recommends using something called “connect-kit loader” to load another tool called “connect-kit.” Even if you try to be really careful and follow the best ways to do it, the loader still gets the newest version of connect-kit between 1.0.0 and 2.0.0. This situation has given a chance for attackers to sneak into many libraries by only compromising connect-kit. The most recent secure version from Ledger is 1.1.4, but today, three new versions (1.1.5, 1.1.6, 1.1.7) were released, and they’re believed to be compromised. So, if you have any of these new versions, it’s important to consider them as not safe.
What exactly happened?
In a series of critical oversights, Ledger appears to have made a chain of blunders that contributed to the compromise of their widely-used library. Firstly, the decision to load JavaScript (JS) from a Content Delivery Network (CDN) introduced a vulnerability, as CDNs can be susceptible to compromise.
Secondly, the absence of version locking for the loaded JS compounds the issue, leaving the door open for attackers to exploit loose dependencies. Lastly, the revelation that Ledger’s CDN itself has been compromised adds another layer of concern to the situation.
These combined lapses in security have paved the way for malicious actors to infiltrate the Ledger library, replacing it with a drainer script. As a precautionary measure, Ledger users are strongly advised to refrain from engaging with any decentralized applications (dApps) until the Ledger team confirms the successful mitigation of the attack and assures the restoration of a secure environment.
Is Ledger Putting Profit Over Security and Community Support?
In this article, months ago, we already spoke about how Ledger was starting to get off-track with its users. Ledger’s recurrent introduction of new devices coupled with the discontinuation of support for older models has generated frustration among certain customers, casting doubts on the safety of their digital assets. Additionally, apprehensions have surfaced within the crypto community regarding Ledger’s perceived prioritization of profit over robust security measures and dedicated customer support. This article seeks to explore these concerns in greater detail and offer insights into secure practices for the storage of cryptocurrencies.
Not only this, just few months ago we also already warned users about the possibility of Ledger reading private keys. Ledger recently added a new option that lets users share their private keys with external services for backup. However, many users were worried and alarmed about this choice. People were questioning how it works and what risks it might bring. Because of these concerns, some are looking for other options instead of using Ledger to keep their cryptocurrency safe.
Ledger’s Statement Raises Concerns
In response to the recent security breach involving their compromised library, Ledger issued a statement that has left users with more questions than answers.
The statement lacks the clarity necessary to address the severity of the situation and reassure users about the safety of their assets. While acknowledging the compromise, Ledger’s assurance of resolving the issue feels vague, lacking specific details on the steps they are taking to mitigate the risks.
The statement appears to lack a sense of accountability, leaving users uneasy about the company’s commitment to rectifying the vulnerabilities and preventing future incidents.
As the crypto community awaits further clarification and decisive action from Ledger, concerns persist regarding the efficacy of their response in safeguarding user funds and restoring trust in their security infrastructure.
How to Secure Your Cryptocurrency Assets? Immediate Actions for Ledger Owners
1. Avoid DApp Interactions
There is a substantial risk to the funds stored in Ledger wallets if they interact with decentralized applications (dApps) using the compromised library. Ledger owners are strongly advised to refrain from connecting their devices to any dApps until the situation is resolved.
2. Monitor Official Channels for Updates
Ledger users are urged to stay vigilant and monitor official communication channels from Ledger for real-time updates and instructions on how to proceed. Regularly check the Ledger website and official social media accounts for the latest information.
3. Update Firmware and Software
Once a fix is available, it is imperative for Ledger owners to promptly update their device’s firmware or software. Ensure that any updates are obtained exclusively from the official Ledger website to avoid the risk of downloading compromised files.
4. Implement Additional Security Measures
As a precautionary measure, users should consider changing their Ledger account passwords and scrutinize their transaction history for any unauthorized activities. By taking these steps, Ledger owners can enhance the overall security of their assets.
The cryptocurrency community is on high alert as this incident underscores the vulnerability of even widely trusted platforms. Ledger users must act swiftly and diligently to safeguard their digital assets during this critical time. Stay tuned for further developments on this rapidly evolving situation.
Stay tuned for updates as this story unfolds. We’ll be adding more information as it becomes available, so check back for the latest developments.