Online crypto wallets are not the safest option to store your crypto assets. A new report by Check Point Research (CPR) has identified a security vulnerability in Everscale’s online blockchain wallet. If exploited, the research says that the vulnerability would have given an attacker full control over a victim’s wallet and crypto funds. The vulnerability was discovered in the web version of Everscale’s wallet, known as Ever Surf which could make it possible for attackers to decrypt the private keys and seed phrases—the crypto equivalent of a password.
Ever Surf is available on Google Play and Apple iOS Store. It is a cross-platform messenger, blockchain browser, and crypto wallet for the Everscale blockchain network. The company recorded 31.6 million transactions and has over 669,000 accounts worldwide. Everscale is a smart contract platform based on Telegram’s predecessor TON blockchain project.
“Usually, attackers utilise malicious browser extensions, info stealer malware or just phishing to get keys. Decrypt the keys by running a simple script. With the help of discovered vulnerability, decryption takes just a couple of minutes on consumer-grade hardware,” CPR said in its report.
CPR disclosed the vulnerability to Ever Surf developers, who then released a desktop version of the browser that mitigates this vulnerability.
“When working with cryptocurrencies, you always need to be careful, ensure your device is free of malware, do not open suspicious links, and keep OS and anti-virus software updated. Despite the fact that the vulnerability we found has been patched in the new desktop version of the Ever Surf wallet, users may encounter other threats such as vulnerabilities in decentralized applications, or general threats like fraud, phishing,” Prakash Bell, Head, Security Engineering, India, and SAARC, at Check Point Software.
It should be noted that blockchain transactions are irreversible. In the blockchain, unlike a bank, you cannot block a stolen card or dispute a transaction. If the keys to your wallet are stolen, your crypto funds can become easy prey for cybercriminals, and no one can help return your money back.
To prevent theft of the keys, CPR recommends not following suspicious links especially if they are sent from strangers. “Keep your OS and anti-virus software updated. Do not download software and browser extensions from unverified sources,” CPR added.