What do you do when you discover a vulnerability placed into your app to steal from your users? Cryptocurrency wallet maker Komodo’s answer: hack its app and take its users’ money before the hackers. It even worked.
Komodo is a developer startup known for its work in cryptocurrency and creating the Agama cryptocurrency wallet. That wallet is dependent on a JavaScript library maintained in npm (node package manager), and a malicious actor tried to take advantage of the open source nature of the code.
A few months ago, an anonymous contributor made a “useful update” to the library, creating a new dependency. They waited until that update incorporated into the Agama app, then made a change to the new dependency to create a backdoor into the app.
The staff at npm noticed the changes, realized what was going on, and contacted Komodo. Unfortunately, by this point, the backdoor was already in place. Merely updating the app to remove it might not be enough; anyone who didn’t get the update before the hacker broke in would lose their cryptocurrency.
So Komodo took a rather novel approach, it hacked itself. It used the very backdoor the malicious actor planted to sweep up 13 million dollars worth of cryptocurrency and move it to a place the hacker couldn’t reach.
Komodo published a blog to inform its users of what it did, why it did it, and how they can reclaim their money and transfer it back to new, hopefully, more secure, wallets.
All of this is, of course, a lesson in the dangers and strengths developers encounter when using third-party libraries and open software that allow anyone to contribute.
Bad actors can manipulate open software in ways that aren’t possible with proprietary software. But it can also be examined more thoroughly for vulnerabilities. These events illustrate both sides of that coin.
No comments:
Post a Comment