Critical Bug in Everscale Wallet Could Have Allowed Attackers to Steal Cryptocurrencies
A security flaw has been revealed in the web version of the Always surf wallet which, if successfully weaponized, could allow an attacker to take full control of a victim’s wallet.
“By exploiting the vulnerability, it is possible to decrypt private keys and seed phrases that are stored in the browser’s local storage,” Israeli cybersecurity firm Check Point said in a report shared with The Hacker News. “In other words, the attackers could take full control of the victim’s wallets.”
Ever Surf is a cryptocurrency wallet for the Everscale (formerly FreeTON) blockchain that also doubles as a cross-platform messenger and allows users to access decentralized applications as well as send and receive non-fungible tokens ( NFT). It is said to have around 669,700 accounts across the globe.
By means of different attack vectors like malicious browser extensions or phishing links, the flaw makes it possible to obtain the encrypted keys and seed phrases of a wallet which are stored in the browser’s local storage, which can then be brutally forced to siphon off funds.
Since the information in the local storage is not encrypted, it could be accessed by malicious browser add-ons or information-stealing malware that can collect this data from different web browsers.
Following responsible disclosure, a new desktop app was released to replace the vulnerable web version, with the latter now marked as deprecated and used for development purposes only.
“Having the keys means complete control over the victim’s wallet, and therefore over the funds,” said Alexander Chailytko of Check Point. “When working with cryptocurrencies, you should always be careful, make sure your device is free from malware, don’t open suspicious links, keep the operating system and anti-virus software up to date.”
“Despite the fact that the vulnerability we found has been fixed in the new desktop version of the Ever Surf wallet, users may encounter other threats such as vulnerabilities in decentralized applications or general threats such as fraud, [and] Phishing.”