Ledger Security Bulletin 004

11 November 2018: Bitcoin change address injection.

Summary

A vulnerability was found in the Bitcoin app allowing an attacker to add an unverified output change address into a legit transaction. It can lead to sending funds to an arbitrary address without requiring an additional confirmation on the device. The original transaction still has to be confirmed though.

Technical details

A blogpost is already written by the security researcher and explains the technical details of this vulnerability.

Impact on the Ledger Nano S

  • The firmware version 1.5.5 of the Ledger Nano S fixes the vulnerability.
  • The BTC app from version 1.3.3 is fixed.

Credits

We would like to thank the security researcher Sergey Lappo from Mycelium who discovered the vulnerability and reported it through our bug bounty program.

References

  1. How (not) to lose your life savings while paying for a coffee with your Ledger Hardware Wallet - Sergey’s blog
  2. Ledger releases new Nano S firmware update - Ledger