Ledger Connect Kit Exploited

“December 14th, 2023, Ledger experienced an exploit on Ledger Connect Kit, a Javascript library to connect Web sites to wallets.””The industry collaborated with Ledger to neutralize the exploit and try to freeze stolen funds very quickly – the exploit was effectively running for less than two hours.””This exploit is currently being investigated, Ledger has filed complaints and will help affected individuals try to recover funds.””This exploit did not and does not affect the integrity of Ledger hardware or Ledger Live,” said Ledger CEO Pascal Gauthier.”The exploit was limited to third party DApps which use the Ledger Connect Kit.”

What happened?

In short, @Ledger made a chain of terrible blunders.

1. They are loading JS from a CDN.
2. They are not version locking loaded JS.
3. They had their CDN compromised.

I would avoid using ANY dApps until their teams confirm that they have mitigated the attack. https://t.co/a3brXNQSx9

— I’m Software 🦇🔊 (@MatthewLilley) December 14, 2023

Full Disclosure / Archive

Leave a Reply

Your email address will not be published. Required fields are marked *