Check Point Research (CPR) identified a security vulnerability in Everscale’s blockchain wallet. If exploited, the vulnerability would have given an attacker full control over a victim’s wallet and subsequent funds. The vulnerability was discovered in the web version of Everscale’s wallet, known as Ever Surf. Available on Google Play and Apple iOS Store, Ever Surf is a cross-platform messenger, blockchain browser, and crypto wallet for the Everscale blockchain network. Reported to conduct 31.6 million transactions and have over 669,000 accounts worldwide, Everscale is a smart contract platform based on Telegram’s predecessor TON blockchain project.
- CPR proves it was possible for an attacker to decrypt private keys and seed phrases
- Decryption takes just a couple of minutes on a consumer grade hardware
- CPR urges caution when dealing with crypto currencies
Check Point Research (CPR) identified a security vulnerability in the Everscale blockchain wallet. If exploited, the vulnerability would have given an attacker full control over a victim’s wallet and subsequent funds. The vulnerability was discovered in the web version of Everscale’s wallet, known as Ever Surf. Available on Google Play Store and Apple’s App Store, Ever Surf is a cross-platform messenger, blockchain browser, and crypto wallet for the Everscale blockchain network.
By exploiting the vulnerability, it was possible for an attacker to decrypt the private keys and seed phrases that are stored in the browser’s local storage. CPR outlined the potential attack methodology as follows:
- Get encrypted keys of the wallet. Usually, attackers utilizes malicious browser extensions, infostealer malware or just phishing to get keys
- Decrypt the keys by running a simple script. With the help of discovered vulnerability, decryption takes just a couple of minutes on a consumer grade hardware
- Steal funds from the wallet
CPR disclosed the vulnerability to Ever Surf developers, who then released a desktop version that mitigates this vulnerability. The web version is now declared deprecated and should only be used for development purposes. Seed phrases from accounts that store real value in crypto should not be used in the web version of Ever Surf. Ever Surf issued a statement that can be read in CPR’s technical publication.
Quote: Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software:
“We discovered a vulnerability in the popular Everscale blockchain wallet, due to which the wallet keys can be easily decrypted by an attacker. Having the keys means full control over victim’s wallet, and, therefore funds. Everscale is the technological successor of the TON network, which was developed by the Telegram team. At the same time, Everscale is still in the early stages of development. We assumed that there might be vulnerabilities in such a young product. We were also curious how key protection is implemented in the most popular wallet for this blockchain. CPR’s proof of concept presents several attack vectors that can lead to an attacker obtaining private keys and seed phrases in clear text, which can then be used to gain full control over the victim’s wallet.
When working with cryptocurrencies, you always need to be careful, ensure your device is free of malware, do not open suspicious links, keep OS and anti-virus software updated. Despite the fact that the vulnerability we found has been patched in the new desktop version of the Ever Surf wallet, users may encounter other threats such as vulnerabilities in decentralized applications, or general threats like fraud, phishing.”
Cyber Safety Tips
We would like to remind you that blockchain transactions are irreversible. In blockchain, unlike a bank, you cannot block a stolen card or dispute a transaction. If the keys for your wallet are stolen, your crypto funds can become easy prey for cybercriminals, and no one can help to return your money back. To prevent theft of the keys, we recommend:
- Do not follow suspicious links especially if they received from strangers
- Keep your OS and anti-virus software updated
- Do not download software and browser extensions from unverified sources