Part of MyEtherWallets to be Under a Thread

New security issue is related to  free Hola VPN plug-in, which is installed on 50 000 000 computers
10 July 2018   1821

One of the most popular Ethereum wallets, MyEtherWallet suffered from the second major security breach in the last year, after the widely used VPN service was compromised. This is reported by TechCrunch.

MyEtherWallet warned its users using the free Hola VPN plug-in, which is installed on 50 million computers, that they could become victims of an attack aimed at stealing cryptocurrency.

The company stated that Hola was compromised for 5 hours. Users who used the plug-in and their wallet may lose the funds stored on it. MyEtherWallet recommends that everyone who used the wallet and VPN during the last 24 hours to transfer their funds to a new address.

MyEtherWallet Twitter
MyEtherWallet Twitter

In a conversation with TechCrunch, the MyEtherWallet team reported that it assumes that the attack originated from the Russian IP address.

The safety and security of MEW users is our priority. We’d like to remind our users that we do not hold their personal data, including passwords so they can be assured that the hackers would not get their hands on that information if they have not interacted with the Hola chrome extension in the past day.
 

MEW Team

Earlier, MyEtherWallet was already the victim of the attack. Then a DNS server was hacked, which allowed the hacker to redirect users to a phishing copy of the site.

Potentional Vulnerabilities Found in ETH 2.0

Least Authority have found potentional security issues in the network P2P interaction and block proposal system
26 March 2020   1011

Technology security firm Least Authority, at the request of the Ethereum Foundation, conducted an audit of the Ethereum 2.0 specifications and identified several potential vulnerabilities at once.

Least Authority said that developers need to solve problems with vulnerabilities in the network layer of peer-to-peer (P2P) interaction, as well as in the block proposal system. At the same time, the auditor noted that the specifications are "very well thought out and competent."

However, at the moment there is no large ecosystem based on PoS and using sharding in the world, so it is impossible to accurately assess the prospects for system stability.
Also, information security experts emphasized that the specifications did not pay enough attention to the description of the P2P network level and the system of records about Ethereum nodes. Vulnerability risks are also observed in the block proposal system and the messaging system between nodes.

Experts said that in the blockchains running on PoS, the choice of a new block is simple and no one can predict who will get the new block. In PoS systems, it is the block proposal system that decides whose block will fall into the blockchain, and this leads to the risk of data leakage. To solve the problem, auditors suggested using the mechanism of "Single Secret Leader Election" (SSLE).

As for the peer-to-peer exchange system, there is a danger of spam. There is no centralized node in the system that would evaluate the actions of other nodes, so a “malicious" node can spam the entire network with various messages without any special punishment. The solution to this problem may be to use special protocols for exchanging messages between nodes.