While blockchains themselves are hard to hack and penetrate due to their decentralized nature, applications interacting with, say, Bitcoin and Ethereum are susceptible to hacks and other technical mishaps.
According to a recent Twitter thread published by cybersecurity and anti-phishing expert Harry Denley, a browser crypto wallet by the name “Shitcoin Wallet” — yes, that’s literally the name — has been quietly injecting malicious Javascript code into browsers to “steal secrets” from crypto-related websites, allowing for hacking to take place.
⚠️ A browser crypto wallet is injecting malicious JS to steal secrets from @myetherwallet @idexio @binance @neotrackerio @SwitcheoNetwork
Extension-native wallet create also sends secrets to their backend!
Bad guys: erc20wallet[.]tk
ExtensionID: ckkgmccefffnbbalkmbbgebbojjogffn pic.twitter.com/TE2iw5d8Md— harry.eth ◊ (@sniko_) December 31, 2019
Denley’s tweets suggested that the Javascript injected by the wallet allows operators to steal “secrets,” by that I presume he means passwords and other pertinent info that would allow bad actors to steal cryptocurrency, from services like Ethereum interface MyEtherWallet, decentralized exchange IDEX, crypto giant Binance, NEO site NEOTracker, and SwitcheoNetwork.
(Notably, there have been no reports of users of the wallet seeing their Ethereum or other crypto funds stolen so far. This may stem from the fact that Shitcoin Wallet seemingly has few users compared to, say, MetaMask or MyCrypto.)
More information can be found about the technical details of the hack via Harry Denley’s tweet thread and the related links.
Ethereum Applications Under Attack
This news comes shortly after other Ethereum wallets have run into a number of issues.
It began last week when MetaMask, the leading Ethereum wallet and decentralized app browser, claimed that its Android iteration was blocked from being downloaded on the Google Play Store. The massive tech giant cited MetaMask’s purported violation of Google financial services policies, which includes a clause blocking applications from enabling cryptocurrency mining on mobile devices.
In the last week, the MetaMask Android client was suspended by the Google Play App Store @googleplaydev. They cited their policy that bans mining on mobile, which we don't. Appeal rejected. #ProtectWeb3.https://t.co/rfP4EbOAqv!?zippy_activeEl=cryptocurrencies%23cryptocurrencies
— MetaMask (@MetaMask) December 26, 2019
This seeming act of censorship came literal days after Youtube was found to have taken action against Bitcoin and cryptocurrency channels for publishing content promoting “regulated goods.” This debacle has since been reversed, though the MetaMask ban remains an open case.
Following this news regarding MetaMask, long-time Bitcoin and crypto entrepreneur Brian Armstrong, currently the chief executive of Coinbase, took to Reddit saying that not only Google, but “Apple [also] seems to be eliminating the usage of Dapps from the App Store.” He thus concluded that Coinbase Wallet, the firm’s Ethereum interface, may soon remove decentralized application functionality.
Photo by sebastiaan stam on Unsplash