operation-jask

Signature Proofing – hackers.mu secures bitcoins

Operation JASK (Just A Single Keystroke named by core member Nitin) took place on the 23rd of July 2018 where several members from hackers.mu fixed a Regular Expression which caused an attacker to retrieve sensitive signature data, which could forge someone’s identity.

The vulnerability was found mainly in gpg.sh and was disclosed as CVE-2018-12356

hackers.mu has patched 21 bitcoin projects as listed below:

Member Project Merged
Loganaden Bitcoin Bitcoin
Nitin Litecoin Litecoin
Codarren Dash Dash
Yasir bitcoin2x, kredsBlockchain, sparkscrypto
Nigel Bitcoin Gold, Qtum, BitCore, BitcoinX, Bitcoin Diamond, Digibyte Bitcoin Gold
Muzaffar Monacoin, Binarium, Terracoin, Monoeci, Bitcoin-Atom, coruus/cooperpair Monacoin, Binarium, Terracoin
Rahul Syscoin, Bitcoin-ABC

Writing Regular Expressions is something which should be unit tested properly as a single character can mess things up (just like in the GPG signing). A flaw in signatures will definitely put bitcoin projects at risk –  that’s why we are here!

Core member Loganaden got in touch with GitHub as he believes the signature process is not as it should be. GitHub said that they have forwarded this issue to the concerned department but it seems that this issue is being overlooked.

Stay tuned for more contributions!