MyDashWallet compromised for two months, wallet keys taken
MyDashWallet.org is recommending that its users remove any
funds from their wallets as the site has been compromised for the past two
months.
MyDashWallet, which calls itself the fastest and easiest way
to use DASH cryptocurrency, noted on its site
that an associated external site serving CryptoJS scripts was compromised with
the end result being wallet private keys were removed for a two month period.
“To be safe please MOVE your funds to a new HD Wallet
(create new wallet in new browser tab or with any other wallet, copy target
address, move all funds from your old wallet to the new wallet),” was posted to
mydashwallet.org.
At this time it is not known how much DASH currency may have
been moved.
In a blog
post dash.org marketing manager Michael Seitz, aka HeyMichael,
wrote that a hacker was inside the system between May 13 and July 12 and during
that period could have obtained the private keys to any wallet. He also
recommended users move their funds.
“Out of an abundance of caution, anyone using
mydashwallet.org in that timeframe should assume their private keys are known
by the hacker and should immediately move any balances out of that wallet,” he
said, adding, “Based on our understanding, people who used mydashwallet.org in
conjunction with a hardware wallet or with associated tipbots are not affected.
We also don’t believe that the vulnerability affects other third-party wallets.”
Entry into MyDashWallet began in April when MyDashWallet was
modified to load a script from the script hosting website GreasyFork.
Further detail on the hack was given by a Dash.org
administrator with the handle Tungfa who said that on April 18 MyDashWallet was
modified to download an external script from Greasy Fork. A move he called not
abnormal, but also not considered a secure practice since the reference loaded
the latest version of the script, rather than a specific version.
On May 13 the Greasy Fork account was then compromised with
the hacker adding code to send user’s private keys to an external server.
“The insecure coding practice implemented by MyDashWallet
went undetected for over a year due to insufficient review of code by third
parties,” Tungfa wrote.
Tungfa also said the use of local keystore files should be
discouraged in favor of hardware walletssimilar to those used by MyEtherWallet.
Deepak Patel, security evangelist at PerimeterX, said this
particular type of hack is a danger to cryptocurrency services, but the overall
lack of understanding when it comes to dealing with digital ecosystems and
third-party code is a problem for any organization.
““To stop hacks like these from happening, it is imperative
that organizations begin to take a more robust approach to discovering who is
operating on your website, paying attention to client-side attacks and taking a
hard look their privacy policies,” he said.
Gloss