MyDashWallet compromised for two months, wallet keys taken

News by Doug Olenick

MyDashWallet's associated external site serving CryptoJS scripts was compromised, with wallet private keys removed for a two-month period

MyDashWallet.org is recommending that its users remove any funds from their wallets as the site has been compromised for the past two months.

MyDashWallet, which calls itself the fastest and easiest way to use DASH cryptocurrency, noted on its site that an associated external site serving CryptoJS scripts was compromised with the end result being wallet private keys were removed for a two-month period.

"To be safe please MOVE your funds to a new HD Wallet (create new wallet in new browser tab or with any other wallet, copy target address, move all funds from your old wallet to the new wallet)," was posted to mydashwallet.org.

At this time it is not known how much DASH currency may have been moved.

In a blog post, dash.org marketing manager Michael Seitz, aka HeyMichael, wrote that a hacker was inside the system between 13 May and 12 July and during that period could have obtained the private keys to any wallet. He also recommended users move their funds.

"Out of an abundance of caution, anyone using mydashwallet.org in that timeframe should assume their private keys are known by the hacker and should immediately move any balances out of that wallet," he said, adding, "Based on our understanding, people who used mydashwallet.org in conjunction with a hardware wallet or with associated tipbots are not affected. We also don’t believe that the vulnerability affects other third-party wallets."

Entry into MyDashWallet began in April when MyDashWallet was modified to load a script from the script hosting website GreasyFork.

Further detail on the hack was given by a Dash.org administrator with the handle Tungfa who said that on April 18 MyDashWallet was modified to download an external script from Greasy Fork. A move he called not abnormal, but also not considered a secure practice since the reference loaded the latest version of the script, rather than a specific version.

On 13 May, the Greasy Fork account was then compromised with the hacker adding code to send user’s private keys to an external server.

"The insecure coding practice implemented by MyDashWallet went undetected for over a year due to insufficient review of code by third parties," Tungfa wrote.

Tungfa also said the use of local keystore files should be discouraged in favor of hardware walletssimilar to those used by MyEtherWallet.

Deepak Patel, security evangelist at PerimeterX, said this particular type of hack is a danger to cryptocurrency services, but the overall lack of understanding when it comes to dealing with digital ecosystems and third-party code is a problem for any organisation.

""To stop hacks like these from happening, it is imperative that organisations begin to take a more robust approach to discovering who is operating on your website, paying attention to client-side attacks and taking a hard look their privacy policies," he said.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews