This applies to all sorts of wallets. The idea is to trick people into thinking there’s something to claim and therefore people connect their wallet.
1 Like
Interesting!
So, this guy found out that it’s a bad idea to give arbitrary websites unlimited access to your funds, but then he just revokes it for the one website that scammed him, but leaves it on for all the other sites reported to him?!?
I have never heard that this kind of access is even possible on Cardano and hope that it means it isn’t.
Also, given that people are already really sensitive here, when Yoroi wants to have access to other websites to go a tiny bit into the dApp direction, they will still be vigilant, should it become possible.
Yes. And it is certainly possible to allow a rogue program access to your cardano wallet. It is somewhat similar to the fake ”Daedalus mobile wallet”. A hardware wallet doesn’t help.
This has made me wonder. Suppose you have a ledger wallet and ledger live wants access. How can you be sure it is really ledger live and not malware claiming to be ledger live? I think there’s room for improvements. Ledger live could show something like a simple random captcha like ”tomato” and the ledger would also show this word.
I have written software in c++ that communicates with a usb modem and I guess it’s not that difficult to do the same with a ledger or any other hardware wallet. After all, the software wallets that communicate with ledger are open source.
Giving an external entity allowance to spend your funds in your name seems to be a built-in functionality at Ethereum and Binance Smart Chain according to the video. That is somehow a different beast than malware or fake apps. I have not seen legitimate functionality on Cardano that does not require every single transaction to be done in your wallet app by you personally.
Against the fake “Daedalus” mobile app? It still requires you to confirm the details of every transaction on the hardware, doesn’t it?
The malware would have to kick in in exactly the moment I’m starting Ledger Live. Otherwise, it would be very suspicious if it wants access, even though I didn’t start it. And then, AFAIK, it can still not extract keys, but just install and deinstall firmware and apps. But it could replace the Cardano app by one that doesn’t ask permission (or asks permission with fake transaction details). Don’t know, how restricted firmware and apps are on the Ledger.
Yes, the security is not that malware cannot communicate with the Ledger. It’s that you have to confirm the transaction on the device and secret keys never leave it.
If you don’t understand what you are confirming, then you risk doing something you will regret. The movile wallet is similar because people didn’t understand what they were dealing with, they didn’t visit the official site, no due diligence, no double checking
This scenario is perhaps inlikely but if if you may have malware that will autostart thenks to a registry setting. It can detect if ledger live has started and immediately close it and show a ledger live cloned window. There are other ways then the TerminateProcess api call to shut down a program. It even works with the task manager. The user is now likely to accept a connection.
If you have invested heavily in crypto assets it makes sense to have two hardware wallets ome of which only holds small amounts such that you can test things that you haven’t done before.
2 Likes