Security gap in Everscale Wallet

Check Point Research (CPR) has identified a security vulnerability in Everscale's blockchain wallet. In the event of exploitation, the vulnerability would give an attacker full control of the victim's wallet and subsequent funds.

The vulnerability was discovered in the online version of Everscale's wallet, known as Ever Surf.

everscale logo

Available on Google Play and the Apple iOS Store, Ever Surf is a cross-platform messenger, blockchain browser, and cryptocurrency wallet for Everscale's blockchain network. Everscale reportedly has 31,6 million transactions and more than 669.000 accounts worldwide. It is a smart contracting platform based on Telegram's previous TON blockchain project.

  • CPR proves it was possible for an attacker to decrypt private keys and cultivate phrases
  • Decryption takes just two minutes on consumer-level hardware
  • CPR urges caution when dealing with cryptocurrencies

Check Point Research (CPR) has identified a security vulnerability in Everscale's blockchain wallet. In the event of exploitation, the vulnerability would give an attacker full control of the victim's wallet and subsequent funds. The vulnerability was discovered in the online version of Everscale's wallet, known as Ever Surf. Available on Google Play Store and Apple App Store, Ever Surf is a cross-platform messenger, blockchain browser and cryptocurrency wallet for Everscale's blockchain network.

Everscale's blockchain network has 31,6 million transactions and more than 669.000 accounts worldwide.

Contents hide
Attack methodology
Responsible Disclosure
Cyber ​​Safety Tips

Attack methodology

Taking advantage of the vulnerability, an attacker could decrypt the private keys and boot phrases stored in the browser's local storage. The CPR described the possible attack methodology as follows:

Downloading the encrypted wallet keys. Typically, attackers use malicious browser extensions, infostealer or just phishing to get the keys
Decrypt the keys by executing a simple script. With the help of the vulnerability discovered, decryption takes just two minutes on a consumer-level hardware
Theft of money from the wallet

Responsible Disclosure

CPR revealed the vulnerability to the developers of Ever Surf, who later released a desktop version that mitigates it. The online version is now obsolete and should only be used for development purposes. Cropping phrases from accounts that store real value in encryption should not be used in the online version of Ever Surf. Ever Surf issued a statement that you can read in the CPR publication.

Comment by Alexander Chailytko, Cyber ​​Security, Research & Innovation Manager at Check Point Software:

“We have discovered a vulnerability in the popular blockchain wallet Everscale, due to which the wallet codes can be easily decrypted by an attacker. Possession of the keys means full control of the victim's wallet and, therefore, the funds. Everscale is the technological successor of the TON network, which was developed by the Telegram team. At the same time, Everscale is still in the early stages of development. We assumed there might be vulnerabilities in one so young . Ήμασταν επίσης περίεργοι για το πώς υλοποιείται η of keys to the most popular wallet for this blockchain. CPR's proof of concept presents various attack vectors that can lead an attacker to obtain private keys and seed phrases in clear text, which can then be used to gain full control of the victim's wallet.

When working with cryptocurrencies, you should always be careful to ensure that your device is free of malware, do not open suspicious links, and keep your operating system and anti-virus software up to date. "Although the vulnerability we have identified has been fixed in the new desktop version of the Ever Surf wallet, users may face other threats, such as vulnerabilities in decentralized applications or general threats such as fraud, phishing."

Cyber ​​Safety Tips

We would like to remind you that blockchain transactions are irreversible. On the blockchain, unlike a bank, you cannot block a stolen card or dispute a transaction. If the keys to your wallet are stolen, your crypto funds can become easy prey for cybercriminals and no one can help you get your money back. To prevent her of keys, we recommend:

  • Do not follow suspicious links, especially if they come from strangers.
  • Keep your operating system and antivirus software up to date
  • Do not download software and browser extensions from unverified sources

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.082 registrants.

Check Point Researcheverscale

Check Point Research, Everscale, iguru

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).