The web version of the Ever Surf blockchain browser contained a vulnerability
The security experts of Check Point Research (CPR) have found a security vulnerability in the blockchain wallet of Everscale. By exploiting the vulnerability, which has now been fixed, an attacker could have gained complete control over a victim’s wallet and the funds on it. The vulnerability was discovered in the web version of the Everscale wallet called Ever Surf, a cross-platform messenger and blockchain browser that also acts as a crypto wallet and is available in the Google Play and Apple iOS Store. The smart contract platform based on the previous Telegram project TON blockchain has reportedly completed 31.6 million transactions and has over 669,000 accounts worldwide.
“Everscale is still at an early stage of development, so we suspected that there might be vulnerabilities in such a young product.“, scrive Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software.
CPR was able to prove that it was possible for an attacker to decrypt private keys and seed phrases stored in the browser’s local memory within a few minutes.
The security experts outlined the possible attack methodology as follows:
- Obtaining the encrypted keys of the wallet. Usually, attackers use malicious browser extensions, infostealer malware, or just phishing tactics to get to the keys.
- Decryption of the keys by executing a simple script. With the help of the discovered vulnerability, decryption takes only a few minutes on a consumer hardware.
- Theft of money from the wallet.
“CPR’s proof of Concept shows several attack vectors that can lead to an attacker receiving private keys and seed phrases in plain text.”, explains Chailytko. “These can then be used to gain complete control over the victim’s wallet.“
We would like to remind you that blockchain transactions are irreversible. Unlike a bank, blockchain does not allow you to block a stolen card or challenge a transaction. If the keys to your wallet are stolen, your crypto funds can become easy prey for cybercriminals and no one can help you get your money back. To prevent the keys from being stolen, CPR recommends the following security measures:
- Do not follow suspicious links, especially if they are from strangers.
- Keep your operating system and antivirus software up to date.
- Do not download software and browser extensions from unverified sources.
CPR reported the vulnerability to the developers of Ever Surf, who then released a desktop version that fixes this vulnerability. The web version is now deprecated and should only be used for development purposes. Seed phrases of accounts that store real values in cryptocurrencies should not be used in the web version. Ever Surf has issued a statement, which can be read in the technical publication of CPR.