Ledger Wallet Glitch Tricks Users Into Sending Money To Hackers

Ledger

After a report indicated that a bug in Ledger Wallet’s software could allow users to be duped into sending cryptocurrency to hackers, the hardware wallet company took to Twitter to remind customers to be careful when transferring digital coins. Ledger told users to “always verify [their] receiv[ing] address” on their screen at the bottom of each transaction, TheNextWeb reported.

The announcement came after a DocDroid report was published, which said Ledger’s software was vulnerable to hacks. “Ledger wallets generate the displayed receive address using JavaScript code running on the host machine,” the report said. “This means that a malware can simply replace the code responsible for generating the receive address with its own address, causing all future deposits to be sent to the attacker.”

And, since Ledger requires that new addresses are constantly made, users don’t have a way to “verify the integrity of the receive address.” As a result, users might be tricked into thinking the receiving address shown on their screen is legitimate when it might not be. DocDroid reportedly told Ledger about the flaw one month ago, but the team decided to let users know about the vulnerability in lieu of making changes to its code.

Responding to criticisms over the flaw, the company said, “a malware can always change what you see on your computer screen. The only solution is prevention and building an UX to make the user check on its device. [One] device verification feature has been added [six] month ago already.”

Founded in 2015, Paris-based Ledger Wallet creates a number of various hardware solutions for cryptocurrencies and blockchains, including security solutions for enterprises and digital wallet hardware for consumers. The hardware solutions work to remove the potential point of failure implicit in digital cryptocurrency storage. Hackers can still gain access to someone’s computer and digital bitcoin wallets.

The company’s Ledger Nano S, for instance, is a multi-currency hardware wallet that is about the size of a thumb drive. Currency is stored on the device and only connects to the internet when a transaction is made — users enter a PIN on a small display screen on the device to verify every transaction.