Update your @Ledger hardware wallet ASAP if you haven't already! Last month Ledger released v1.5.5, stating that it contained a "critical security fix on the Bitcoin app" ( ledger.fr/2019/01/16/led… ). I wondered how serious it was, and today I found out the answer...😮
@LappoSergey from @MyceliumCom found the bug, with some help from @LeoWandersleb. He quietly released a blog post detailing the bug, and it's VERY serious.
The Ledger can be fooled into sending away ALL funds from ALL your accounts, with NO warning from the device...🤐
This is how it can be exploited:
a. The user initiates a payment on malicious software
b. ALL coins get used as inputs
c. The Ledger gets fooled into accepting a malicious change address (this fault behavior is caused by simply leaving the derivation path empty)
...😶
d. The user confirms the normal looking transaction on the Ledger
e. ALL coins (minus the payment) get sent to the malicious change address🤯
Great work by @LappoSergey, who responsibly disclosed this bug👍 His original write-up can be found here: sergeylappo.github.io/ledger-hack/