A new vulnerability in the Ledger hardware wallet can cause user funds to be stolen.
Nofollow, an anonymous blockchain researcher, found a new vulnerability in Ledger wallets. According to Monokh, this vulnerability in Ledger can be used to transfer BTCs to another location. The main problem here is that while the owner of Ledger thinks that Bitcoin is sending forks, Litecoin, Bitcoin Cash or testnet Bitcoins, he does not see that Bitcon is out of his hands.
Under normal circumstances, Ledger users have to download the application required for the cryptocurrency or asset they want to keep in the wallet. These applications are also designed to stay isolated inside.
In other words, the user; Only one application can be unlocked at a time to perform various functions, such as signing messages, exporting public keys, or approving a transaction. All locked apps need to be untouchable by external messages.
However, this newly discovered vulnerability showed that the Bitcoin (mainnet) public key and signature functions were opened in the Ledger device while performing transactions in applications other than Bitcoin. For example, when you open a Litecoin application, you also receive a confirmation request for Bitcoin transfer. Meanwhile, a process from Litecoin to another Litecoin address appears in the interface. When the confirmation is accepted, a fully valid Bitcoin (mainnet) transaction is produced.
Since the user wants to send Litecoin, not Bitcoin, the Ledger device should have a function to automatically correct the error. Monokh stated that this could lead to theft of Bitcoins of users who trade with Bitcoin’s fork.
Another vulnerability has previously emerged in Ledger, and the personal information of thousands of users has been exposed or even leaked to third parties.
Statement from Ledger
The company, which remained silent for a while, published a security bulletin and stated that by accepting the vulnerability and risks, more crypto money might have been affected. Stating that the Bitcoin application will be released with the error corrected, the company thanked Monokh for explaining the error.