Ledger Connect Kit Exploited
Ledger had a major security incident after a former Ledger employee fell victim to a phishing attack. Bitcoin users unaffected.
- "December 14th, 2023, Ledger experienced an exploit on Ledger Connect Kit, a Javascript library to connect Web sites to wallets."
- "The industry collaborated with Ledger to neutralize the exploit and try to freeze stolen funds very quickly – the exploit was effectively running for less than two hours."
"This exploit is currently being investigated, Ledger has filed complaints and will help affected individuals try to recover funds."
- "This exploit did not and does not affect the integrity of Ledger hardware or Ledger Live," said Ledger CEO Pascal Gauthier.
- "The exploit was limited to third party DApps which use the Ledger Connect Kit."
What happened?
— I'm Software 🦇🔊 (@MatthewLilley) December 14, 2023
In short, @Ledger made a chain of terrible blunders.
1. They are loading JS from a CDN.
2. They are not version locking loaded JS.
3. They had their CDN compromised.
I would avoid using ANY dApps until their teams confirm that they have mitigated the attack. https://t.co/a3brXNQSx9
