Open in app

Sign in

Write

Sign in

Ledger’s New Security Measure: Halting Blind Signing on Dapps Until June 2024

DigiFinex
3 min readDec 21, 2023

--

A Significant Shift in Ledger’s Security Protocol

Ledger, a leading cryptocurrency hardware wallet, faced a significant security breach on December 14, 2023, impacting numerous Web3 projects. This led to a temporary suspension of interactions with all decentralized applications (Dapps). On December 20, 2023, Ledger disclosed details of the attack and announced a pivotal change in its security protocol: the suspension of blind signing (Blind Signing) on Ledger devices until June 2024, to be replaced with clear signing (Clear Signing).

Further reading:Beware: Fake Ledger Wallet App on Microsoft Store Swindles $768K in Crypto!

Detailed Breakdown of Ledger’s Security Breach

Ledger’s official blog post reveals a detailed timeline of the attack:

  • 2023–12–14: Morning: A former Ledger Employee fell victim to a sophisticated phishing attack that gained access to their NPMJS account, bypassing 2FA, using the individual’s session token.
  • 2023–12–14–09:49AM / 10:44AM / 11:37AM: The attacker published on NPMJS (a package manager for Javascript code shared between apps), a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7). The malicious code used a rogue WalletConnect project to reroute assets to hackers’ wallets.
  • 2023–12–14: 1.45PM: Ledger was made aware of the ongoing attack thanks to the prompt reaction of different actors in the ecosystem, including Blockaid who reached out to the Ledger team and shared updates on X.
  • 2023–12–14: 2.18PM: Ledger’s technology and security teams were alerted to the attack and a genuine version of Ledger Connect Kit fix was deployed by Ledger teams within 40 minutes of Ledger becoming aware. Due to the nature of CDN (Content Delivery Network) and caching mechanisms on the Internet, the malicious file remained accessible for a little longer. From the compromission of NPMJS to the complete resolution, approximately 5 hours have passed. This extended availability of the malicious code was a result of the time taken for the CDN to propagate and update its caches globally with the latest, genuine version of the file. Despite the file’s five hour presence, we estimate from our investigation that the window during which user assets were actively drained was confined to less than two hours in total.

Ledger coordinated swiftly with our partner WalletConnect, who disabled the rogue WalletConnect instance used to drain assets from the users.

  • 2023–12–14: 2.55 PM: Upon our coordination, Tether froze the USDT of the attacker(s) (cf. TX).

A Move Towards Enhancing User Security

Ledger has acknowledged that the total loss amounted to approximately $600,000, stolen via blind signing from EVM DApps. They have committed to assisting users in recovering these stolen funds by February 2024. More critically, Ledger announced the shift to clear signing instead of blind signing by the end of June 2024, ensuring users can validate all transactions on the Ledger device before signing.

Understanding Blind Signing and Its Risks

As defined by Wikipedia, blind signing is a digital signature method where the content is invisible to the signer before signing. Its characteristics include:

  • The content of the information being signed is invisible to the signer.
  • The signed information is untraceable, with the signer unable to determine when it was signed.

Risks Associated with Blind Signing

Ledger’s official information highlights that the rapid development of NFTs, DeFi, and Dapps has complicated the interaction between users and smart contracts. Blind signing, without understanding the full content being authorized, poses significant risks of asset theft by hackers.

Further reading:U.S. Sanctions ‘Sinbad’ Crypto Mixer: North Korea’s Lazarus Group’s Key Laundering Tool Poses National Security Threat

A Crucial Step for Safer Blockchain Transactions

Ledger’s decision to halt blind signing and adopt clear signing until June 2024 marks a crucial step towards safer blockchain interactions. This strategic shift reflects Ledger’s commitment to heightening security and trust in the evolving and often treacherous landscape of blockchain technology.

Click here to register with DigiFinex and enjoy cryptocurrency trading.

Keywords: Ledger, Cryptocurrency, Hardware Wallet, Security Breach, Connect Kit, Web3 Projects, Decentralized Applications, Dapps, Blind Signing, Clear Signing, Phishing Attack, NPMJS, WalletConnect, Tether, USDT, EVM DApps, Cybersecurity, Blockchain

Ledger
Security Breach
Blind Signing
Phishing Attacks
Cybersecurity

--

--

DigiFinex

Written by DigiFinex

3.9K Followers

The World’s Leading Digital Asset Exchange⁣ 📲Register&Download: http://reurl.cc/q5rkxy 👉Support: support@digifinex.com 📢 Community: http://t.me/Di

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams