Security gap in Everscale Wallet

The Check Point (CPR) εντόπισε μια ευπάθεια ασφαλείας στο blockchain by Everscale. If exploited, the vulnerability would give an attacker complete control over the victim's wallet and subsequent funds.

The vulnerability was discovered in the online version of Everscale's wallet, known as Ever Surf.

everscale logo

Available on Google Play and the Apple iOS Store, Ever Surf is cross-platform , a blockchain browser and cryptocurrency wallet for the Everscale blockchain network. According to reports, Everscale conducts 31,6 million transactions and has over 669.000 accounts worldwide. It is a smart contract platform based on Telegram's previous TON blockchain project.

  • CPR proves it was possible for an attacker to decrypt private keys and cultivate phrases
  • Decryption takes just two minutes on consumer-level hardware
  • CPR urges caution when dealing with cryptocurrencies

Check Point Research (CPR) has identified a security vulnerability in Everscale's blockchain wallet. In the event of exploitation, the vulnerability would give an attacker full control of the victim's wallet and subsequent funds. The vulnerability was discovered in the online version of Everscale's wallet, known as Ever Surf. Available on Google Play Store and Apple App Store, Ever Surf is a cross-platform messenger, blockchain browser and cryptocurrency wallet for Everscale's blockchain network.

Everscale's blockchain network has 31,6 million transactions and more than 669.000 accounts worldwide.

Methodology ς

Taking advantage of the vulnerability, an attacker could decrypt the private keys and boot phrases stored in the browser's local storage. The CPR described the possible attack methodology as follows:

Obtain encrypted wallet keys. Attackers usually use malicious browser extensions, malicious infostealer software or just phishing to obtain the keys
Decrypt the keys by executing a simple script. With the help of the vulnerability discovered, decryption takes just two minutes on a consumer-level hardware
Theft of money from the wallet

Responsible Disclosure

CPR revealed the vulnerability to the developers of Ever Surf, who later released a desktop version that mitigates it. The online version is now obsolete and should only be used for development purposes. Cropping phrases from accounts that store real value in encryption should not be used in the online version of Ever Surf. Ever Surf issued a statement that you can read in the CPR publication.

Comment by Alexander Chailytko, Cyber ​​Security, Research & Innovation Manager at Check Point :

"We discovered a vulnerability in the popular Everscale blockchain wallet, because of which wallet codes can be easily decrypted by an attacker. Possession of the keys means complete control of the victim's wallet and, consequently, of the funds. Everscale is the technology successor to the TON network, developed by the Telegram team. At the same time, Everscale is still in its infancy. We assumed there might be vulnerabilities in such a young product. We were also curious about how key protection is implemented in the most popular wallet for this blockchain. The CPR proof of concept presents various attackers that can lead an attacker to obtain private keys and seed phrases in plain text, which can then be used to gain complete control of the victim's wallet.

When working with cryptocurrencies, you should always be careful, make sure your device is free of malware, don't open suspicious links, keep your and anti-virus software. Although the vulnerability we identified has been patched in the new desktop version of the Ever Surf wallet, users may face other threats, such as vulnerabilities in decentralized applications or general threats such as fraud, phishing.”

Cyber ​​Safety Tips

We would like to remind you that blockchain transactions are irreversible. In blockchain, unlike a , you cannot block a stolen card or dispute a transaction. If the keys to your wallet are stolen, your crypto funds can become easy prey for cybercriminals and no one can help you get your money back. To prevent key theft, we recommend that you:

  • Do not follow suspicious links, especially if they come from strangers.
  • Keep your operating system and antivirus software up to date
  • Do not download software and browser extensions from unverified sources

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
Check Point Research, Everscale, iguru

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).