back to article Someone slipped a vuln into crypto-wallets via an NPM package. Then someone else siphoned off $13m in coins to protect it from thieves

Blockchain biz Komodo this week said it had used a vulnerability discovered by JavaScript package biz NPM to take control of some older Agama cryptocurrency wallets to prevent hackers from doing the same. The digital currency startup said it had socked away 8 million KMD (Komodo) and 96 BTC (Bitcoin) tokens – worth about …

  1. Pascal Monett Silver badge

    Just goes to show

    You do not have production servers depend on unknown code.

    Known code is code you have evaluated, reviewed and tested, and should be stored on a server you control.

    When you are notified of an update, you evaluate the necessity of the update, review the new code if the update is necessary for you, and apply it to your test server only if you do intend to use it. There, you test it thoroughly and validate its merging with production code on servers you control.

    This form of attack only works because everyone is abandoning their duty of care and just blindly trusting dozens of people they don't know to do things right. That's like hiring a cleaning lady and getting ten people shuffling around your house, doing things that are not necessarily related to cleaning. You'd have to be mad to accept that, but when it's code, you just can't be bothered (I know, might not have the time either - doesn't mean it's a good situation).

    1. sabroni Silver badge

      Re: Just goes to show

      I agree.

      Most internet sites go further, not only trusting other packages but linking to external sources directly to get code. I'm only allowing theregister.co.uk and regmedia.co.uk to run scripts on this site but there are 4 other sites that want to run code on this page (often that number balloons if you let the first lot run). At least with NPM you download the packages and serve them from your control. You have the chance to run npm audit. It's not possible for theregister.co.uk to guarantee that my connection to gstatic.com hasn't been compromised.

      But this way is faster if I've already been to gstatic.com for those scripts today so.....

    2. Mo'Fo B'dass

      Re: Just goes to show

      So you've checked every line of code in every application and all it's dependencies? You've learnt how each and every bit of code interacts with every other bit of code in your entire production eco-system?

      And your knowledge is such that every single update can be re-evaluated and tested to destruction ensuring absolutely no bugs and vulnerabilities exist? And you've attended to that personally so that you can be sure no one else on your team has taken shortcuts or overlooked something?

      Wowzers...

      1. GnuTzu Silver badge

        Re: Just goes to show

        Nope, but you've still got to have various processes of quality assurance: code review, testing, scanning, etc. And, if you're code has to deal with security, fuzzing, vulnerability scanning/review, and pen testing are a must. Pulling code directly into production--particularly as an automated process--will just make your production servers the low-hanging fruit.

      2. Muppet Boss

        Re: Just goes to show

        >So you've checked every line of code in every application and all it's dependencies? You've learnt how each and every bit of code interacts with every other bit of code in your entire production eco-system?

        That's the point: NPM makes it fairly easy to introduce malicious code into _your_ codebase by hijacking some obscure package you are not even aware of. End-to-end code and security audit becomes very difficult too.

      3. AdamWill

        Re: Just goes to show

        I dunno why people are downvoting this. This person is exactly right. The OP's theory is lovely, but it's completely unworkable. Nobody in the world except *possibly* extremely paranoid spy agencies with extremely large budgets is actually *doing* this:

        "When you are notified of an update, you evaluate the necessity of the update, review the new code if the update is necessary for you, and apply it to your test server only if you do intend to use it. There, you test it thoroughly and validate its merging with production code on servers you control."

        with all their code because it's just not realistically possible. For a start if you're using any closed source code...you can't review the new code. Game over. Even if you're using 100% open source: who has the in-house expertise, and the person-hours available, to review all the changes in every new version of the Linux kernel they deploy? And every new version of glibc? And every new version of Java? And every new version of every bit of their Python stack? And their Perl stack? And their PHP stack? Sorry, but it just ain't happening. I'm not doing it, you're not doing it, and no-one commenting on this thread is doing it.

        The terrifying thing here, really, is there's nothing particularly specific to NPM about it. Yeah, NPM is kinda an outlier in terms of the sheer amount of bits that are in it and the sheer amount of them that any given JS project probably winds up depending on. But it would not be *that* difficult to do this same thing in any other language ecosystem. You absolutely could write a useful Python library, wait for projects to adopt it, maintain it well for a while then upload a new version with a subtle backdoor to PyPI, and I severely doubt anyone would catch it, at least not immediately. It would very likely wind up in all the Linux distros and umpteen commercial software projects in relatively short order. Hell, I would not be at all surprised if this has *already happened*. Probably more than once.

        1. Michael Wojcik Silver badge

          Re: Just goes to show

          The OP's theory is lovely, but it's completely unworkable.

          Rubbish. There's a world of options between "I've personally reviewed every single line of source in my external dependencies" and "I let npm download arbitrary updates every time I build".

          For every project I've ever worked on, it's entirely possible to keep a manifest of every single third-party dependency, know what versions I'm using, know when they're updated and why, and check the provenance of those updates. Which is good, since those projects all are required to conform to those requirements.

          None of those projects would ever have incorporated a new dependency automatically. Yes, someone could still fail to perform due diligence when that dependency was added to the existing component; but that's a far cry from letting a package manager simply add it to the product automatically.

          There are far too many software products - particularly web-based ones - where the development teams have no idea what dependencies they're pulling in. That's lazy negligence.

          1. AdamWill

            Re: Just goes to show

            "Rubbish. There's a world of options between "I've personally reviewed every single line of source in my external dependencies" and "I let npm download arbitrary updates every time I build"."

            Er. Sure there are. But that's not what the OP said. They said "You do not have production servers depend on unknown code. Known code is code you have evaluated, reviewed and tested, and should be stored on a server you control." Note the "reviewed and tested" there. What you're talking about is perfectly reasonable, but it's not what the OP said.

            I agree that it's a sensible policy to know what versions of what components you're actually running and not pull in new ones willy-nilly, and the Javascript / NPM ecosystem is particularly bad at helping with this. But that doesn't necessarily protect you against someone patient enough to write something useful, get it adopted by reputable projects, and then subvert it a couple of years down the road. (It also involves trust that the processes and policies of all the 'known' components you're using are sufficient to keep out subtly malicious submissions, which is not at all a given either). It's still a good idea, but it's not what the OP said, and it doesn't make you perfectly safe. (Of course...nothing makes you perfectly safe except a big hammer and a pair of scissors for the network cable...)

    3. Anonymous Coward Silver badge
      Boffin

      Re: Just goes to show

      So you don't run any windows boxes then? Or at a bare minimum, you've fully vetted your install and turned off updates?

      Same with linux boxen really - you've completely analysed all of the source code and it's bug free so you don't run (apt-get upgrade|yum update) ever?

      Good to know.

      Perhaps you can share your bug-free versions with the community...

      1. adam 40 Bronze badge

        Re: Just goes to show

        Better the bugs you know, than the bugs being fed to you from upstream.

        Yes - turn off updates. Snapshot from whatever distro you develop on, and freeze it.

        We don't need all this churn, and it will make malicious AI's (Skynet's?) job all the easier come the singularity, if it has stolen all our private keys already.

    4. JimC

      Re: because everyone is abandoning their duty of care

      So, it seems the price of freedom is indeed eternal vigilance.

      1. anoco

        Re: because everyone is abandoning their duty of care

        "So, it seems the price of freedom is indeed eternal vigilance."

        It's more like the price of survival. Because you're never really free if you have to be watching out all the time. I don't know about you guys, but I'm always feeling like a thirsty gazelle in the Serengeti.

      2. Michael Wojcik Silver badge

        Re: because everyone is abandoning their duty of care

        It's not a binary choice. Software security is a process, and part of that process can, and should, be implementing improvements to third-party dependency handling. Some people in this thread seem to regard that as all or nothing: either you inspect every line or you throw up your hands and let automated package managers pull anything, whenever they want.

        This is true of every aspect of security, in every domain. Security is never finished or perfect. That doesn't mean we shouldn't do anything.

  2. YetAnotherJoeBlow

    Yep...

    That NPM was a brilliant idea. They really thought it through. I especially like when I'm building privileged code and watch as it pulls non-vetted source code into my build. Everyone knows my builds; quality you can trust.

  3. TonyJ Silver badge

    Surely...

    ...whatever the justification behind their actions, what Komodo have done is illegal?

    Genuine question.

    1. Anonymous Coward
      Anonymous Coward

      Re: Surely...

      Illegal? Cryptocurrencies are beyond the scope of the legal system.

      1. DavidD

        Re: Surely...

        "Illegal? Cryptocurrencies are beyond the scope of the legal system."

        Financially, yes.

        However what they have done could still be considered unauthorised access to a computer system.

        1. adam 40 Bronze badge

          Re: Surely...

          Or theft... or money laundering (the new catch-all).

          1. Anonymous Coward
            Anonymous Coward

            Re: Surely...

            Or wire-fraud...

        2. Michael Wojcik Silver badge

          Re: Surely...

          However what they have done could still be considered unauthorised access to a computer system.

          Could it? My reading of the article - I haven't investigated the details, because frankly I don't much care - is that they simply changed the code in their wallet app to move the balances to wallets they control. Someone who uses their wallet app might have grounds for claiming violation of contract if they have some sort of agreement that Komodo won't do that, but I don't see any "unauthorized access". The users decided to install and run the Komodo wallet software. It's authorized.

    2. Antonius_Prime

      Re: Surely...

      It's crypto currency. It's only got value because we all collectively agree it has.

      Technically, monopoly money (now a thing of the past as well!) has more real-world value.

      Real currency is slightly similar, in that all the *banks* collectively agree it has value. Us plebs don't get a look in...

      1. Naselus

        Re: Surely...

        "Real currency is slightly similar, in that all the *banks* collectively agree it has value."

        No so much the banks, as the taxman. He makes you pay your taxes in £, so demand for £ has a floor and so it has value.

        1. Antonius_Prime

          Re: Surely...

          Ah yeah. Forgot about the revenooo.

          Cheers.

        2. unimaginative

          Re: Surely...

          TO an extent, but what it really depends on is that we all accept it as a medium of exchanges.

          Before we have goldbugs going on about the lack of intrinsic value of fiat currencies, the same is true of the value of gold - most of its value comes from its scarcity, which is mostly the result of people (and central banks!) using it as a store of wealth.

          1. Anonymous Coward
            Anonymous Coward

            Re: Surely...

            Apart from Gordon Brown, who just gave the stuff away

      2. phuzz Silver badge

        Re: Surely...

        "Us plebs don't get a look in..."

        You've never accepted cash money from someone? If so, then congratulations! You've helped define the value of that cash when you said "OK, I'll mow your lawn for a fiver" (eg).

      3. not_my_real_name

        Re: Surely...

        The whole point of crypto is that you don't own anything physical or electronic only a key that gives you rights to amend a public shared database. In fact only the person that exposed these keys acted illegally. Whether the legal system understands this is another matter.

        1. TheVogon Silver badge

          Re: Surely...

          Unauthorised taking of something and depriving the owner of it is theft. Just like stealing money from a bank account. Pretty sure most legal systems would already cope with that. Failing that its unauthorised access to a computer.

          1. Jason Bloomberg Silver badge
            Headmaster

            Re: Surely...

            Unauthorised taking of something and depriving the owner of it is theft.

            I am pretty certain any legal definition of theft will require an intent to "permanently deprive". My taking of your wallet you left on a cafe table, so I can return it to you, is not theft if I have that intent.

            If you want to consider that "theft" then I'll leave yours on the table to await its fate ;-)

            We have "taking without the owner's consent" as a criminal offence in the UK specifically for those who, when nicked, pretend they were "only borrowing it", were going to return it, had no intent to permanently deprive the owner of it, hoping to dodge the charge of theft which, in those circumstances, cannot always be proven beyond reasonable doubt.

            Most criminal offences also require mens rea, a guilty mind, criminal intent. Doing something for the greater good should never be treated the same as something done with harmful intent.

            1. Doctor Syntax Silver badge

              Re: Surely...

              "Most criminal offences also require mens rea, a guilty mind, criminal intent."

              And in this case publicising what they'd done and why makes that an unlikely circumstance.

              1. Jason Bloomberg Silver badge

                Re: Surely...

                And there's also "duty of care". If I walk past your house and see you have left your front door open and have exposed your pile of gold for everyone to see. There's an argument that it would be more remiss of me not to enter your home, remove that gold to a safe place, and leave a note indicating what I had done, than to walk on by.

                While aspects of that could well be considered criminal in other circumstances I cannot imagine that anyone would ever be prosecuted, let alone convicted, for a crime in such circumstances.

                If I'd walked by and your gold was inevitably stolen, I believe there might even be more of a case to answer.

      4. TheVogon Silver badge

        Re: Surely...

        Money only has value because we all agree it has. The gold standard is long gone.

        1. quxinot Silver badge

          Re: Surely...

          To be fair, gold only has value because we all agree it has, also.

          Point taken about fiat currency, but if you get too nihilistic, it's all fiat currency.

          1. RegGuy1

            Re: Surely...

            We could make leaves legal tender...

            1. Ken Moorhouse Silver badge

              Re: We could make leaves legal tender...

              The problem there is that all the branches are closing...

      5. katrinab Silver badge

        Re: Surely...

        Plenty of things that aren’t money have value. In any case, if you are up on a charge of theft, claiming that the thing you stole has no value isn’t going to work, because it isn’t legally relevant.

    3. yoganmahew

      Re: Surely...

      Writing any of this stuff in JS, surely that should be illegal?!

    4. DavCrav Silver badge

      Re: Surely...

      I don't know about the US but prosecuting in the UK would be difficult. You could claim the Computer Misuse Act, because the Theft Act requires the removal with the intention to permanently deprive. As they clearly have no intention to permanently deprive, no theft has occurred. However, an unauthorized intrusion has occurred, so CMA could apply.

      The problem with this is that the unauthorized access was to prevent a theft, and so there is no mens rea. Indeed, not acting would probably lead to the commission of a crime, so there's a significant public interest defence.

      Standard IANAL label applies, this post is for entertainment purposes only, etc.

      1. Pier Reviewer

        Re: Surely...

        Mens rea for CMA s.1 is simply that you knew that you had no authorisation to interact with the computer. It’s an appallingly widely drafted piece of legislation, and is ripe for abuse.

        The fact the action taken was apparently for good does not provide a defence. If this was an individual in the UK they would be saying bye-bye to their computing gear.

        1. Michael Wojcik Silver badge

          Re: Surely...

          you knew that you had no authorisation to interact with the computer

          Authorized users had already installed Komodo's software, giving Komodo authorization to interact.

          I may be (and, indeed, am) annoyed every time I use Excel, but I can't claim that Microsoft is running it on my computer without my permission. Should Microsoft update Excel so it uploads all my data to their cloud (hmm...) and deletes it locally (who'd be surprised?), I can't claim they were "unauthorized".

  4. sitta_europea Bronze badge

    It's why we have norms and systems. Legal, financial, social, whatever.

    It's called society.

    Without the norms and the systems, the whole thing breaks down and we're left with anarchy. Not a place you want to be.

    There will always be those who for whatever reason don't want to be bound by the norms and try to evade the systems.

    That's why we have prisons (and secure hospitals of course).

    Not nearly enough of them in my view.

    1. tentimes

      We should put you in a secure hospital then and see how you like it. Not enough of them *facepalm*!

  5. Anonymous Coward
    Anonymous Coward

    SawlyNotSawly

  6. FrogsAndChips Silver badge

    "the assets await reclamation by their owners"

    And how exactly will the owners know who to reclaim it from? Did Komodo leave a little note in the wallets "Please collect your fun-coins at your local Komodo branch"?

    1. tentimes

      Re: "the assets await reclamation by their owners"

      My guess is Komodo are rubbing their hands with glee as this is a perfect excuse to get their mitts on other people's bitcoin. I would be amazed if all the BTC went back to the owners in the end.

    2. moiety

      Re: "the assets await reclamation by their owners"

      I was wondering this. Was there a "Komodo was ere" sign left in the balance display, with contact details? What, in short, is the connection between "all my munnies haz gone" and Komodo? And - depending upon the vulnerability- there could be reasons for making that hard "because we don't want the scammers to falsely claim the money".

      Could be all lovely and face value but:

      Komodo coins?

      $13m?

      Komodo get to pimp for free in the news how awesome they are at this security thing

      Be interesting to see how much effort is being put in to trace the owners. Especially of the coins not sharing the company name (which are worth $762,538.56 if DuckDuckGo is accurate).

      1. moiety

        Re: "the assets await reclamation by their owners"

        Also, now that I come to think about it, the information you could extract from a bunch of bitcoiners desperate to reclaim their goodies could be a saleable data set in it's own right.

    3. TechnicalBen Silver badge

      Re: "the assets await reclamation by their owners"

      No idea on this system... but I would assume at least in similar cases the exploits only allow transfers into a thiefs account... thus for the time being you could transfer to Komodo and await identification of the owner.

      However I'd have to spend too much time checking if it is a multievel authentication or not for these coins. I've no horse in this race, so will let them figure it out. But theoretically a system could have exploits limited to certain functions only and could separate identification and other. (IIRC you have private / public keys and all sorts on some of these cryptographic systems)

    4. Doctor Syntax Silver badge

      Re: "the assets await reclamation by their owners"

      "And how exactly will the owners know who to reclaim it from?"

      The first few paragraphs of the story should give you a bit of a hint.

  7. Creslin

    Taking from somebodies house as the window locks didn't look perfect. Not great.

    The victim is supposed to know the name of everybody who could have took the missing belongings to check with them all, just-in-case, one of them did take the valuables and they're offering to give back.

    1. Anonymous Coward
      Anonymous Coward

      Re: Taking from somebodies house as the window locks didn't look perfect. Not great.

      somebody's

    2. Doctor Syntax Silver badge

      Re: Taking from somebodies house as the window locks didn't look perfect. Not great.

      How about having noticed the window locks had been changed in circumstances which looked a bit suspicious?

  8. This post has been deleted by its author

  9. TrumpSlurp the Troll Silver badge
    Trollface

    Freetards.

    Back in the days before massive repositories of "free" code instantly available online - that is before the Internet - you wrote your own code or you bought commercial code libraries from a supplier.

    That took a long time and cost a lot of money and programmers were quite well paid in the main.

    Now nobody has the time or money to do in house development, and code is just assembled from the "cloud" of random online repositories.

    So somebody else has fingers inside your production code. There isn't even a guarantee that ownership of the code will not change, nor that the code will not be withdrawn from the repository at short notice, The "cloud" is somebody else's code on some body else's computer. Saves money until something goes wrong. Then you are screwed.

    On the unauthorised computer access front; wasn't it their own computers?

  10. Tree
    Pint

    Crypto Currency is so SAFE!

    "Your privacy is very important to us." "Money is , too." Gimme..

    Please, do not trust your money to the internet. Bury your gold. Don't trust anything with "wallet" in the name. If you use a password, they can steal your credits.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019