Due to the vulnerability of the Ledger wallet, the user can send bitcoin instead of altcoin
A vulnerability has been discovered in the Ledger hardware wallet that could lead to the loss of bitcoins by users. Security researcher Mohammad Nohbeh revealed information about her.
To carry out an attack, an attacker can create a transaction that looks like an altcoin transaction, but in reality will lead to the withdrawal of bitcoins from the user's wallet.
“The attacker can use this method to transfer bitcoin, while the user will have the impression that another, less valuable altcoin (for example, Litecoin, Bitcoin on the testnet, Bitcoin Cash, etc.) is being transacted,” Nohbeh writes.
For example, a user might think they are sending 0.01 LTC when in reality 0.01 BTC will be debited from their wallet.
The expert explained that Ledger hardware wallets use several specialized applications, separately for each cryptocurrency, of which only one can be active at a given moment. At the same time, as it turned out, external services can even access those applications that are currently inactive.
“It was found that for bitcoin and bitcoin forks, the device provides functions when working with any asset. In other words, once you unblock the Litecoin app, you will be prompted to confirm the bitcoin transfer, while the interface will display the transfer and the Litecoin address. If this request is accepted, a fully valid signed transaction will be sent on the Bitcoin mainnet, ”Nohbeh said.
Ledger acknowledged the problem, promising to release a new version of the application for working with bitcoin, which will display a warning if a non-standard way of making a transaction is detected. The company explained that the availability of the Bitcoin application when working with other cryptocurrencies is due to the peculiarity of the implementation of support for the forks of the first cryptocurrency, which share a common transaction history with it.