Ledger Isolation vulnerability is much more dangerous than people might think


The recently revealed [vulnerability](https://monokh.com/posts/ledger-app-isolation-bypass) in Ledger is much worse than people might think.

At least I could see on Ledger and Bitcoin subs, that people think, they are safe if they do not download some malware on their pc/laptop.

But this is wrong.

The issue can be exploited also when you use only standard applications on your Ledger which are affected (BTC and its derivates)

The attack vector here is, if some tricks you to interface with the malicious **web wallet** with your Ledger. (so no you do not need to install anything to lose your coins)

As an example:

1. the attacker sends you a link for LTC web wallet (he says it is a new really great wallet and want you to try or whatever other reason)
2. you think you are safe, after all, Ledger protects your private keys and everything has to be confirmed. So you connect and will try to send out some LTC to the attacker just as a donation or anything else.
3. The web wallet sends spoofed transaction to your Ledger, so you think you are confirming LTC transfer, instead your BTC is sent out

There are many scenarios like this. You are affected anytime you interact with your Ledger and any web service. (not only if you use fake sw wallets)

I explicitly asked about it and this attack vector was [confirmed](https://np.reddit.com/r/ledgerwallet/comments/i3jyzw/from_bitcoin_sub_ledger_app_isolation_bypass/g0cqott/?utm_source=share&utm_medium=web2x) by Ledger.

Stay safe.

Source : https://reddit.com/r/CryptoCurrency/comments/i3zy18/ledger_isolation_vulnerability_is_much_more/

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *