A security flaw has been discovered in the Ever surf web wallet. If successfully armed, it could enable an attacker to take full control of a victim’s wallet.
“By exploiting the vulnerability, it’s possible to decrypt the private keys and seed phrases that are stored in the browser’s local storage,” Israeli cybersecurity company Check Point said in a report shared with The Hacker News. “In other words, attackers could gain full control over the victim’s wallets. “
Ever Surf is a cryptocurrency wallet for the Everscale (formerly FreeTON) blockchain that also doubles up as a cross-platform messenger and allows users to access decentralized apps as well as send and receive non-fungible tokens (NFTs). It’s said to have an estimated 669,700 accounts across the world.
There are many ways to exploit the vulnerability, such as malicious browser extensions and phishing hyperlinks. The flaw allows you to access a wallet’s seed phrases and encrypted keys that can be stored locally in your browser. These key/seed phrases can then easily brute-forced into siphoning funds.
Given that local storage information is not encrypted, it can be accessed via rogue browser extensions or information-stealing software that could harvest such data from other web browsers.
Following responsible disclosure, a new desktop app has been released to replace the vulnerable web version, with the latter now marked as deprecated and used only for development purposes.
“Having the keys means full control over the victim’s wallet, and, therefore funds,” Check Point’s Alexander Chailytko said. You must be cautious when working with cryptocurrency. Make sure your devices are clean of any malware. Do not click on suspicious links. Keep the OS and Anti-Virus software up to date. “
“Despite the fact that the vulnerability we found has been patched in the new desktop version of the Ever Surf wallet, users may encounter other threats such as vulnerabilities in decentralized applications, or general threats like fraud, [and] phishing. “