MyDashWallet, a service that purports to be the fastest way of using DASH cryptocurrency, has revealed its platform was compromised for two whole months, and is now urging users to move their funds as soon as possible (if they’re still there).
“The hacker was able to obtain private keys used between May 13 and July 12,” wrote Dash marketing manager Michael Seitz in a July 12 Dash forum post.
Inspired by MyEtherWallet, MyDashWallet acts as an online wallet for fledgling altcoin DASH. The service, which runs almost entirely on JavaScript, allows users to store, send, and receive DASH from within their web browser.
“Out of an abundance of caution, anyone using mydashwallet.org in that timeframe should assume their private keys are known by the hacker and should immediately move any balances out of that wallet,” he added.
Insecure coding practices went undetected for over a year
A separate Dash representative explained that changes had been made to MyDashWallet in April 2018 that saw it begin to load an external script from third-party host GreasyFork.
Hackers are said to have gained access to the GreasyFork account of that script’s creator to add malicious code. From then on, the script was automatically sending the private keys of MyDashWallet users to an external server presumably under control of the attackers.
“This change was detected on July 12 2019 when the hacker used the private keys to move user funds,” clarified Leon White, who manages Dash’s documentation and Wiki.
The full amount of lost DASH is still unknown
As yet, the total amount of cryptocurrency stolen from MyDashWallet users over the past two months isn’t clear. Sadly, one MyDashWallet user has already claimed to have lost 143.84 DASH ($17,597) to the hackers.
According to MyDashWallet, those who used its service in conjunction with hardware wallets or “associated tipbots” are apparently not affected. The firm also doesn’t believe the vulnerability extends to other third-party wallets.
In order to avoid situations like this in the future, White warned that all code that handles DASH private keys should be “reviewed thoroughly” before it is trusted to handle user funds.
White also urged services to discourage the use of local keystores in favor of hardware wallets.
“The hack itself was only active for two months before being detected. The insecure coding practice implemented by MyDashWallet went undetected for over a year due to insufficient review of code by third parties,” said White. “MyDashWallet is not maintained by Dash Core Group, and at no time was the Dash network itself compromised.”
Hard Fork has reached out to MyDashWallet to learn more about the full extent of the attack, and will update this piece should we receive a reply.
Published July 15, 2019 — 10:53 UTC
