Contents
Key facts:
The vulnerability allowed attacks of excessive spending through commissions.
According to Trezor, this vulnerability may affect other providers of purses cold.
Trezor, the manufacturer of purses cold of Bitcoin, has launched an update of its firmware for the devices Trezor One and Model T. The new version fixes a vulnerability which committed funds spent through transactions SegWit or witness segregated.
The company released the update on Wednesday 3 June. Via a note posted on its official blog, Medium, Trezor gave details of the new released version, the 2.3.1 to the Trezor One, and 1.9.1 for the Model T.
In this note, Satoshi Labs, the company behind the wallet Trezor explains that the update is “to deal with the transactions of Segwit the same way with the transactions which are not of SegWit”. That is to say, by validating the amounts of the UTXO previous transaction to verify the actual amounts available.
With this measure, explained to the publication, it resolves the vulnerability found in march of last year for Saleem Rasheed. This vulnerability allowed an attack using which is throwing an error message when you try to send a transaction. On the second attempt, the attacker could create a new transaction that spend the majority of the total amount in commissions.
Let us recall that the introduction of transactions SegWit emerged as a way to “increase the capacity of this string. So, instead of increasing the block size, are redistributed to the firms transaction”, as defined in the guide acronyms Breaking News.
According to the text of Trezor, this vulnerability could affect “all the suppliers of wallets hardware, some of which requested 90 days to implement the solution.”
“That is why we took more time than usual to post this solution because we respect the rules of disclosure coordinated,” adds the note of Satoshi Labs.
Other vulnerabilities recent
In January of this same year, found another vulnerability that allowed an attacker to extract the private keys of a wallet Trezor having access to the device for about 15 minutes.
That same vulnerability was detected a short time prior to the purses KeepKey, as outlined Breaking News in his time.
Then, a little over a week, an alleged attacker would have gained access to data of thousands of users of Trezor, Ledger, and exchange houses, according to their own statements. This attacker asked for a sum unknown for money to change not to filter the suspected data.
However, both Trezor as a Ledger and the currency exchange Bitso ensured that it was a false alarm. In the case of Trezor, the company said that the list of assumptions the data was false. “We have thoroughly analyzed the sample data and we can confirm that it does not match with the records of our clients in the e-store,” said Trezor on that occasion.