The malicious script we found replaces a wallet address you've copied with a different one! A totally different wallet address that belongs to the hacker/exploiter!
I have to start with the banner above, because my colleague and I discovered an 'interesting' exploit. For context, this was not on a valid/trusted website!
What does this exploit do?
Explaining how this exploit works is simple through an example. Have you ever typed "BRB" on your phone in WhatsApp? It automatically changes to "Be right back".
The input is recognized and replaced with something else, in this case, an abbreviation transformed into the full text. This is how this exploit functions.
When a user performs a CTRL-C (copy action) or clicks on a "Click-to-Copy" button, the script activates.
It checks the content of the clipboard (the copied content) of your device, which is stored in the memory of your phone or computer. If what's copied matches this pattern: ^(0x)[0-9a-fA-F]{40}$, the value of the copied content is replaced with something else. Similar to the "BRB" example.
What does ^(0x)[0-9a-fA-F]{40}$ do?
To understand this, we must break it into pieces.
^ = Start of the input. (0x) = The input must begin with "0x". [0-9a-fA-F]{40} = The input must follow a pattern of characters and numbers, from 0 to 9. Letters from a to f (both uppercase and lowercase), and there must be exactly 40 characters. $ = End of the string The above demonstrates that the script targets ERC-20 addresses.
What happens?
So you want to make a transaction and send ETH from one address to another.
You've copied the wallet address since typing it out can lead to errors. You likely have it saved somewhere in a textfile or copied it from a webpage.
Now, your clipboard contains an address that matches the pattern.
The malicious script we found replaces a wallet address you've copied with a different one! A totally different wallet address that belongs to the hacker/exploiter!
You press CTRL-V (paste) and then paste in the wrong wallet address, which you then use for your transaction!
Even if you copy the address correctly, and checked it a gazillion times, the script recognizes the pattern, replaces the wallet address, which you will use for your transaction.
The result? Your funds are gone.
The case we found was implemented by using a external JavaScript inside a (malicious) web page. The exploit was less than 20 lines of code, and in size? Less than 1KB. We've checked multiple AV's (antivirus) and none of them were triggered.
When (legitimate) websites use external JavaScript files, hosted on other/external platforms these files can be compromised. So in my opinion, every website is or can be vulnerable.
It's not a matter of 'if this could happen', but more likely 'when will this happen'
What should you do?
When you copy and paste a wallet address, still verify it afterwards!Don't assume it's correct right away.
Always double-check the last all digits/characters. Or copy a wallet address in two parts so that the pattern isn't/can't be detected.
Crypto is booming, and malicious actors are well aware.
Zero-trust, always!
[link] [comments]
You can get bonuses upto $100 FREE BONUS when you:
π° Install these recommended apps:
π² SocialGood - 100% Crypto Back on Everyday Shopping
π² xPortal - The DeFi For The Next Billion
π² CryptoTab Browser - Lightweight, fast, and ready to mine!
π° Register on these recommended exchanges:
π‘ Binanceπ‘ Bitfinexπ‘ Bitmartπ‘ Bittrexπ‘ Bitget
π‘ CoinExπ‘ Crypto.comπ‘ Gate.ioπ‘ Huobiπ‘ Kucoin.
Comments