Check Point Research (CPR) has identified a security vulnerability in Everscale's blockchain wallet. In the event of exploitation, the vulnerability would give an attacker full control of the victim's wallet and subsequent funds.
The vulnerability was discovered in the online version of Everscale's wallet, known as Ever Surf.
Available on Google Play and the Apple iOS Store, Ever Surf is a cross-platform messenger, blockchain browser, and cryptocurrency wallet for Everscale's blockchain network. Everscale reportedly has 31,6 million transactions and more than 669.000 accounts worldwide. It is a smart contracting platform based on Telegram's previous TON blockchain project.
- CPR proves it was possible for an attacker to decrypt private keys and cultivate phrases
- Decryption takes just two minutes on consumer-level hardware
- CPR urges caution when dealing with cryptocurrencies
Check Point Research (CPR) has identified a security vulnerability in Everscale's blockchain wallet. In the event of exploitation, the vulnerability would give an attacker full control of the victim's wallet and subsequent funds. The vulnerability was discovered in the online version of Everscale's wallet, known as Ever Surf. Available on Google Play Store and Apple App Store, Ever Surf is a cross-platform messenger, blockchain browser and cryptocurrency wallet for Everscale's blockchain network.
Everscale's blockchain network has 31,6 million transactions and more than 669.000 accounts worldwide.
Table of Contents
Attack methodology
Taking advantage of the vulnerability, an attacker could decrypt the private keys and boot phrases stored in the browser's local storage. The CPR described the possible attack methodology as follows:
Obtain encrypted wallet keys. Attackers usually use malicious browser extensions, malicious infostealer software or just phishing to obtain the keys
Decrypt the keys by executing a simple script. With the help of the vulnerability discovered, decryption takes just two minutes on a consumer-level hardware
Theft of money from the wallet
Responsible Disclosure
CPR revealed the vulnerability to the developers of Ever Surf, who later released a desktop version that mitigates it. The online version is now obsolete and should only be used for development purposes. Cropping phrases from accounts that store real value in encryption should not be used in the online version of Ever Surf. Ever Surf issued a statement that you can read in the CPR publication.
Comment by Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software:
"We discovered a vulnerability in the popular Everscale blockchain wallet, because of which wallet codes can be easily decrypted by an attacker. Possession of the keys means complete control of the victim's wallet and, consequently, of the funds. Everscale is the technology successor to the TON network, developed by the Telegram team. At the same time, Everscale is still in its infancy. We assumed there might be vulnerabilities in such a young product. We were also curious about how key protection is implemented in the most popular wallet for this blockchain. The CPR proof of concept presents various attackers that can lead an attacker to obtain private keys and seed phrases in plain text, which can then be used to gain complete control of the victim's wallet.
When working with cryptocurrencies, you should always be careful to ensure that your device is free of malware, do not open suspicious links, and keep your operating system and anti-virus software up to date. "Although the vulnerability we have identified has been fixed in the new desktop version of the Ever Surf wallet, users may face other threats, such as vulnerabilities in decentralized applications or general threats such as fraud, phishing."
Cyber Safety Tips
We would like to remind you that blockchain transactions are irreversible. In blockchain, unlike a bank, you can not block a stolen card or dispute a transaction. If the keys to your wallet are stolen, your cryptocurrencies can become easy prey for cyber criminals and no one can help you get your money back. To prevent key theft, we recommend:
- Do not follow suspicious links, especially if they come from strangers.
- Keep your operating system and antivirus software up to date
- Do not download software and browser extensions from unverified sources