A bug in the Copay and BitPay apps enables a hacker to steal Bitcoins

  • An anonymous hacker manipulated the apps to load modified code and gain access to the JavaScript library.
  • The library loading the malicious code is identified as Event-Stream.

A vulnerability in Copay and BitPay apps have allowed a hacker to steal Bitcoins and other funds stored on the cryptocurrency wallets. The bug, dubbed NPM Package vulnerability, enabled the anonymous hacker to manipulate the apps to load modified code and gain access to the JavaScript library.

The library where the malicious code was loaded is identified as Event-Stream. Researchers believe that the malicious code injection attack targeting the JavaScript library went on for weeks.

“Currently we have only confirmed that the malicious code was deployed on versions 5.0.2 through 5.1.0 of our Copay and BitPay apps. However, the BitPay app was not vulnerable to the malicious code. We are still investigating whether this code vulnerability was ever exploited against Copay users” BitPay said in a press release.

Once the malicious code was injected into the app, the hacker could steal users’ wallet information, including private keys. Later, the hacker sent the stolen keys to the copayapi[.]host using port 8080.

The BitPay team has urged its customers to stop running the affected apps on their devices. An updated version - 5.2.0 - has been released, addressing the vulnerability.

“In the meantime, if you are using any Copay version from 5.0.2 to 5.1.0, you should not run or open the app. A security update version (5.2.0) has been released and will be available for all Copay and BitPay wallet users in the app stores momentarily,” said BitPay.

In addition, the malicious Event-Stream v3.3.6 has also been taken down from npm.org to prevent further spread of attack. Existing Copay and BitPay users have been asked to updated their wallets to version 5.0.2 before moving their funds.

“Users should not attempt to move funds to new wallets by importing affected wallets' twelve-word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds,” said the BitPay team.