pull down to refresh

11 sats \ 9 replies \ @ek 11 Sep \ parent \ on: How to Verify the Impact of the Recent NPM Attack on My Wallets? bitcoin

If it swaps the address, you know which one you entered. Compare that one with the one it tells you you entered. No external signer needed.

I assume the swap happens before signing. But if it happens after signing, this means the attacker can also sign, in which case they would just drain your wallet immediately.

write
preview
0 sats \ 8 replies \ @adlai 11 Sep

deleted by author

reply
6 sats \ 1 reply \ @ek 11 Sep
your logic is about a hypothetical attacker who is currently authoring malware

my logic was about backing up my assumption that it swaps before signing because I did not read the malware code

reply
0 sats \ 0 replies \ @adlai 11 Sep

half the bloody problem is that there is too much code. I think it's been this way for longer than NASDAQ, although I'm younger.

reply
0 sats \ 5 replies \ @ek 11 Sep

wdym with "payload might not include exfil"?

if an attacker can sign whatever they want, why wouldn't they drain the wallet?

reply
0 sats \ 4 replies \ @adlai 11 Sep

I have not read any of the theft complaints. I have no idea how anything signed leaves the browser.

reply
5 sats \ 3 replies \ @ek 11 Sep

the malware swaps the address. so when you sign without double-checking the address, you're actually signing a tx to the attacker. you're then broadcasting that tx like you would normally. that's how anything signed leaves the browser or wallet.

reply
0 sats \ 2 replies \ @adlai 11 Sep

deleted by author

reply
0 sats \ 1 reply \ @ek 11 Sep

yes, which is what I said because the malware has to swap the address before you sign

reply
0 sats \ 0 replies \ @adlai 11 Sep

the details of my criticism depend on the UX of the target attacked by the payload. by my understanding, if the payload only detects and swaps addresses, then our entire discussion is the real scam, donating our sats to the rest of the community.

reply