A recent report contends that Ledger App has failed to fix a major vulnerability that allows for a “Bitcoin Fork” attack.
Mo Nokhbeh claims Ledger’s wallet fails to properly isolate the apps responsible for authorizing the transactions of different assets. This creates a vulnerability where a user’s wallet can be fooled into authorizing a transaction for a less valuable asset, like Litecoin (LTC), Bitcoin Cash (BCH) or any other Bitcoin fork coin, where in reality, a Bitcoin (BTC) transaction is being released. Nokhbeh told Cointelegraph:
“This app should be isolated such that it only signs for testnet derivation paths. However, sending it a regular mainnet bitcoin transaction will pass. In addition, it will present the TX as if it’s testnet bitcoin, to a testnet bitcoin address.”
According to Nokhbeh, he made Ledger fully aware of this vulnerability and despite acknowledging it, the company has failed to fix it. Instead they have chosen to release an update to their existing app which will provide users with a warning prompt if such an exploit is detected.
We have reached out to Ledger for comment and will update pending a response.