The NPM Vulnerability
On November 26th, BitPay was made aware of malicious code in the Copay wallet (the BitPay wallet was not vulnerable) that was trying to capture the private keys of BitPay and Copay wallets. The malicious code was loaded into the Copay wallet through a modified NPM dependency. The malicious code was deployed on versions 5.0.2 through 5.1.0 of our Copay and BitPay apps.
Once we learned of this, our developers quickly fixed the Copay wallet in version 5.2.0. Because versions 5.0.2 through 5.1.0 of Copay app were vulnerable to the malicious code, we issued an announcement warning our users to not open or run affected apps and to move their funds to wallets on the new secure Copay version.
BitPay’s Security Updates
But if we had left things at a fix and an announcement, then you shouldn’t trust us to build your crypto wallet. Our developers were hard at work in the next week making long-term improvements to the security of the Copay and BitPay wallets. All of these updates are now live as of Copay v.5.3.1
Reducing Dependency Risk
First, we have now locked our dependency tree. This means that, aside from security patches made to our dependencies, we will only be updating our software dependencies when a new major version of Copay or BitPay is released. This makes it easier to review dependencies in our codebase before those changes go live for our users. It is usually over one month between our alpha and production releases.
Locking Down Network Connections
Second, BitPay has restricted network connections on our wallets. The actor who introduced the malicious code via the vulnerability was trying to steal private keys from wallet users and send them to a specific URL. By restricting the URLs that the Copay and BitPay apps can interact with, we make it harder for this kind of attack to work even if an attacker found their way into our codebase.
These are the updates and changes that are currently live for the Copay and BitPay apps. We’re continuing to think of additional ways to make our wallets even more secure, and as those updates come out, we’ll let you know.
If you’re a developer and interested in helping with Copay, you can check out our GitHub page.