All Ledger wallets have a flaw that lets hackers steal your cryptocurrency

Cryptocurrency enthusiasts who rely on Ledger hardware wallets to keep their coins safe ought to exercise extreme caution when sending funds: sticky-fingered hackers might be out to re-route your digital cheddar away from your intended recipient and straight to their own wallets instead.

The company has taken to Twitter to remind users to “always verify [their] receiv[ing] address” on their devices’ screen manually by using the “monitor screen” button at the bottom of each transaction request form.

Referring to a recent vulnerability report from DocDroid, Ledger acknowledged that its hardware wallets suffers from a flaw that makes it possible for attackers to infect it with malware, designed to trick you into sending your cryptocurrency to the hackers.

“Ledger wallets generate the displayed receive address using JavaScript code running on the host machine,” the report reads. “This means that a malware can simply replace the code responsible for generating the receive address with its own address, causing all future deposits to be sent to the attacker.”

What is even worse is that – due to Ledger’s design which requires new addresses be generated consistently – users have no viable options to “verify the integrity of the receive address.” This could dupe users into thinking the displayed receiving address is indeed authentic, while this might not at all be the case.

The DocDroid report further indicates that all Ledger software could be exploited and modified by even unprivileged malware, which means attackers could abuse its system without any need to gain administrative rights.

The wallets also have no implementation in place to check for integrity and ensure anti-tampering. Indeed, the report claims Ledger wallets are so poorly designed that pre-infected devices could exploit users’ first-ever transaction to jack their crypto.

DocDroid disclosed the vulnerability to the Ledger a month ago, but its team preferred to fix the flaw by raising awareness about it – instead making changes to its code and interface.

Responding to annoyed customers on Twitter, Ledger said that the issue “ cannot be solved in the absolute.”

“ A malware can always change what you see on your computer screen,” the company wrote. “The only solution is prevention and building an UX to make the user check on its device. On device verification feature has been added [six] month ago already.”

So next time you’re making a transaction with your Ledger wallet, better take your time to make sure everything is in check: you might be risking getting all of your coins jacked.

Update: Ledger has detailed the vulnerability at length at their official blog .

Update 2: Ledger has contacted TNW with the following statement:

CBS’s Showtime caught secretly stealing visitors’ CPU power to mine cryptocurrency

It turns out torrenting platforms are not the only ones toying with alternative methods to convert traffic to cash . A week after The Pirate Bay admitted to secretly running a cryptominer to borrow visitors’ CPU resources to bank on Monero coins, television giant CBS was caught doing the same with Showtime.

In fact, the popular broadcaster had purportedly implemented the mining solution on two official Showtime network websites – Showtimeom and Showtimeanytimeom – according to information security analyst Troy Mursch, who first documented the discovery acting on a tip from Twitter user SkensNet .

What is especially outrageous is that CBS had enabled the mining software on Showtime’s sites without any notification or request for consent to its subscribers. For more context, the miner was taking up to 60 percent of the overall visitors’ CPU capacity when Showtimeanytimeom was sitting idle in browsers.

Following coverage from The Register and Gizmodo , CBS appears to have removed the mining tech from the websites. Fortunately, Mursch was fast enough to save screenshots from Showtime’s website before, during and after running the miner.

You can browse through the source code evidence here:

As you can observe in the images above, the network opted to implement Coinhive – the same JavaScript-based solution The Pirate Bay relied on for the mining “tests” it ran on its own website.

The more troubling aspect of this move is that, as of recently, Coinhive has similarly been employed by a number of malware developers, seeking to hijack users’ computing resources to stack coins.

We have contacted CBS and Showtime for further comment and will update this piece accordingly should we hear back.

In the meantime: There are a few nifty tricks you can use to make sure no websites are stealing your CPU cycles to mine cryptocurrency without your consent. Read more here .

Kobe Bryant is talking at TRON’s cryptocurrency event… for some reason

TRON founder and prolific marketeer, Justin Sun, has just pulled a megafamous rabbit out of his hat. None other than Kobe Bryant , one of the greatest basketballers of all time, will attend TRON’s blockchain conference next year, for some reason .

Described as a basketball superstar turned “investment genius,” Kobe is slated to share his life experience and business insights with attendees at niTRON Summit in San Francisco next January.

“I have been a huge fan of Kobe and deeply inspired by his journey. It’s my great honor to have Kobe as our special guest for the niTROn Summit,” said Sun. “It’s worth mentioning that Kobe Bryant is not only a basketball genius, but also an investment genius. We look forward to hearing his great speeches at the summit.”

While Kobe is a five-time NBA champion and holds two Olympic gold medals, he really has garnered off-court respect for lucrative investing.

He’s famously credited with turning $6 million into $200 million , after Coca-Cola purchased a minority stake in a sports drink of which Kobe is primary shareholder.

Unfortunately, Hard Fork didn’t receive any legitimate responses regarding the potential “slam dunk” use cases Kobe might drop at the conference, or how his investing experience may help Sun’s cryptocurrency increase adoption.

A TRON spokesperson wasn’t even prepared to confirm if Kobe was busy ‘dribbling’ with some ideas, stating: “We can’t draw any conclusions about his involvement in blockchain […] for now.”

In any case, this news places Bryant shoulder-to-shoulder with other high-flying celebs roped into attending cryptocurrency events.

In May, Snoop Dogg performed live at a Ripple Labs-sponsored event , but reports say that he wasn’t even paid in XRP. Sad.

Similarly hilarious, Twitter turned Bill Clinton into a meme after he spoke at Ripple’s annual Swell conference a few months back.

Celebrity cryptocurrency endorsements, in general, go terribly wrong. Most notably, the SEC moved against cryptocurrency startup Centra for its fraudulent initial coin offering, which was unfortunately endorsed by boxer Floyd Mayweather and entertainer DJ Khaled.

Both household names have since been sued over their involvement .

For Kobe’s sake, though, let’s hope he sticks to appearing at conferences. Seems safer, that way.