Open-Source Exploit: Private Keys in MyDashWallet Exposed for Two Months- Users Should Move Funds Immediately

The private keys of Dash crypto coins being held in online software “hot wallet” called MyDashWallet have been exposed to hackers for two months, and anyone using the wallet should immediately move funds out.

A “hot wallet” is any cryptocurrency software “wallet” connected to the Internet.

The problem was announced by a Dash.org forum user called “Hey Michael”:

“Today it was discovered that mydashwallet.org was compromised. The hacker was able to obtain private keys used between May 13th and July 12th. Out of an abundance of caution, anyone using mydashwallet.org in that timeframe should assume their private keys are known by the hacker and should immediately move any balances out of that wallet.”

According to HeyMichael, MyDashWallet is not an official Dash product, but is rather, “an online wallet developed and maintained by DeltaEngine, an independent developer. It has no relation with the official wallets maintained by the Dash Core Group development team, which are unaffected by the compromise described below.”

Dash is a cryptocurrency network that bills itself as “better than cash.”

A commenter on the Dash.org forum claims that a code at MyDashWallet was modified in April 2018, “to load an external script from the script hosting website GreasyFork,” and about a year later, on May 13 2019,”a hacker compromised the GreasyFork account of the original author of the script, Jixun Moe, and added code to send users’ private keys to an external server. This change was detected on July 12 2019 when the hacker used the private keys to move user funds.”

Given that cryptocurrency users operate independently of one another and often maintain privacy around their activities, the total amount of DASH stolen will be hard to estimate.

One user of the Dash.org forum claims to have lost almost 144 DASH (almost $18 000 USD) from a compromised MyDashWallet account.

PerimeterX  “security evangelist” Deepak Patel, said this problem can arise when organizations, crypto or otherwise, allow unvetted third parties to contribute to their codebases, something which is common practice in the world of “open-source” software:

“While it is a perfectly normal part of building an online environment to engage third-party code providers and affiliates, it creates a murky world of shadow IT and organizations rendering on an organizations’ website that has not been properly vetted by said organization. This leaves the digital supply chain of the web properties vulnerable to JavaScript hacks such as this…”
Patel said companies need a more mature outlook when it comes to allowing software contributions:
“To stop hacks like these from happening, it is imperative that organizations begin to take a more robust approach to discovering who is operating on your website, paying attention to client-side attacks and taking a hard look their privacy policies.”
Sponsored Links by DQ Promote

Send this to a friend