The Check Point Research (CPR) εντόπισε μια ευπάθεια ασφαλείας στο blockchain wallet by Everscale. If exploited, the vulnerability would give an attacker complete control over the victim's wallet and subsequent funds.
The vulnerability was discovered in the online version of Everscale's wallet, known as Ever Surf.
Available on Google Play and the Apple iOS Store, Ever Surf is cross-platform messenger, a blockchain browser and cryptocurrency wallet for the Everscale blockchain network. According to reports, Everscale conducts 31,6 million transactions and has over 669.000 accounts worldwide. It is a smart contract platform based on Telegram's previous TON blockchain project.
- CPR proves it was possible for an attacker to decrypt private keys and cultivate phrases
- Decryption takes just two minutes on consumer-level hardware
- CPR urges caution when dealing with cryptocurrencies
Check Point Research (CPR) has identified a security vulnerability in Everscale's blockchain wallet. In the event of exploitation, the vulnerability would give an attacker full control of the victim's wallet and subsequent funds. The vulnerability was discovered in the online version of Everscale's wallet, known as Ever Surf. Available on Google Play Store and Apple App Store, Ever Surf is a cross-platform messenger, blockchain browser and cryptocurrency wallet for Everscale's blockchain network.
Everscale's blockchain network has 31,6 million transactions and more than 669.000 accounts worldwide.
Methodology attackς
Taking advantage of the vulnerability, an attacker could decrypt the private keys and boot phrases stored in the browser's local storage. The CPR described the possible attack methodology as follows:
Obtain encrypted wallet keys. Attackers usually use malicious browser extensions, malicious infostealer software or just phishing to obtain the keys
Decrypt the keys by executing a simple script. With the help of the vulnerability discovered, decryption takes just two minutes on a consumer-level hardware
Theft of money from the wallet
Responsible Disclosure
CPR revealed the vulnerability to the developers of Ever Surf, who later released a desktop version that mitigates it. The online version is now obsolete and should only be used for development purposes. Cropping phrases from accounts that store real value in encryption should not be used in the online version of Ever Surf. Ever Surf issued a statement that you can read in the CPR publication.
Comment by Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software:
"We discovered a vulnerability in the popular Everscale blockchain wallet, because of which wallet codes can be easily decrypted by an attacker. Possession of the keys means complete control of the victim's wallet and, consequently, of the funds. Everscale is the technology successor to the TON network, developed by the Telegram team. At the same time, Everscale is still in its infancy. We assumed there might be vulnerabilities in such a young product. We were also curious about how key protection is implemented in the most popular wallet for this blockchain. The CPR proof of concept presents various attackers that can lead an attacker to obtain private keys and seed phrases in plain text, which can then be used to gain complete control of the victim's wallet.
When working with cryptocurrencies, you should always be careful, make sure your device is free of malware, don't open suspicious links, keep your functional system and anti-virus software. Although the vulnerability we identified has been patched in the new desktop version of the Ever Surf wallet, users may face other threats, such as vulnerabilities in decentralized applications or general threats such as fraud, phishing.”
Cyber Safety Tips
We would like to remind you that blockchain transactions are irreversible. In blockchain, unlike a bank, you cannot block a stolen card or dispute a transaction. If the keys to your wallet are stolen, your crypto funds can become easy prey for cybercriminals and no one can help you get your money back. To prevent key theft, we recommend that you:
- Do not follow suspicious links, especially if they come from strangers.
- Keep your operating system and antivirus software up to date
- Do not download software and browser extensions from unverified sources