What do you do when you discover a vulnerability placed into your app to steal from your users? Cryptocurrency wallet maker Komodo’s answer: hack its app and take its users’ money before the hackers. It even worked.
A few months ago, an anonymous contributor made a “useful update” to the library, creating a new dependency. They waited until that update incorporated into the Agama app, then made a change to the new dependency to create a backdoor into the app.
The staff at npm noticed the changes, realized what was going on, and contacted Komodo. Unfortunately, by this point, the backdoor was already in place. Merely updating the app to remove it might not be enough; anyone who didn’t get the update before the hacker broke in would lose their cryptocurrency.
So Komodo took a rather novel approach, it hacked itself. It used the very backdoor the malicious actor planted to sweep up 13 million dollars worth of cryptocurrency and move it to a place the hacker couldn’t reach.
Komodo published a blog to inform its users of what it did, why it did it, and how they can reclaim their money and transfer it back to new, hopefully, more secure, wallets.
All of this is, of course, a lesson in the dangers and strengths developers encounter when using third-party libraries and open software that allow anyone to contribute.
Bad actors can manipulate open software in ways that aren’t possible with proprietary software. But it can also be examined more thoroughly for vulnerabilities. These events illustrate both sides of that coin.
We’ll say it one more time though: maybe it’s best to stay away from cryptocurrency. [ZDNet]
In Other News:
- Original Final Fantasy Soundtracks are now free to stream: In a surprise move, Square-Enix loaded nearly every Final Fantasy original soundtrack to Spotify and Apple Music. These aren’t orchestrations, but how the songs sounded in the games. Unfortunately, most titles and songs with vocals, like Suteki da ne, are in Japenese. But if you love Final Fantasy, give them a listen. [Engadget]
- Amazon’s new delivery drone is wild: Amazon showed off its delivery drone yesterday, and it has some neat tricks up its sleeve. It doesn’t work like drones you might picture, and instead changes positions for flying and landing/takeoff. The drone can travel 15 miles and carry a five-pound package, and Amazon says it’ll start delivering in the coming months. Where will it deliver? Amazon didn’t answer. [TechCrunch]
- Google is killing Trips, another app you never used: Google continues its version of the Thanos Snap by wiping another of its products out of existence. This time Trips is on the chopping block, an app used for trip organization. The company says Google Travel is its replacement, but as Ars Technica points out, that’s a website, not an app. Worse yet, it’s a garbage-pile of endless ads. [Ars Technica]
- iOS 13 gives a proper controller to the Sony Remote Play app: We like the Sony Remote Play app, but its downfall is touchscreen controls. You can use a third-party controller, but that’s another thing to buy, and the buttons may not match. iOS13 solves that problem by adding PS4 dual-shock support, and that includes the Remote Play app. Good times. [MacRumors]
- Chrome Remote Desktop hits the web: Chrome Remote Desktop is an easy way to give remote access to a computer, which is useful when you need to lend tech help from afar. Google has been testing Chrome Remote Desktop on the web for well over a year now, but now it’s seemingly out of beta and officially available for all. Very nice. [9to5Google]
- Alexa will become more conversational in the future: Right now, using Alexa can be a bit frustrating. Say a command, get a result, wake her back up say a new command, start over. Soon she’ll prompt to move to related skill using previous information. Did you buy tickets to a movie? She can suggest a dinner reservation near the theater, without you having to ask or tell her where the theater is again. Pretty cool stuff. [VentureBeat]
- Cadillac adds 70,000 miles of compatible highway to SuperCruise: Cadillac’s driver assist program, called SuperCruise, takes a unique approach to hands-free driving. You can keep your hands off the wheel for longer, but only if you’re on a pre-mapped highway and you keep looking at the road. Cameras watch you to make sure you’re paying attention. Cadillac just expanded its lidar-mapped highways by 70,000 miles, which means you’ll be able to use SuperCruise a lot more than before. [Digital Trends]
- Android Q beta is causing bootloops: You should never put a beta OS on your primary device, whether that be a computer, tablet, or phone. The reason for that advice is clearly demonstrated today, as Google just paused its Android Q beta rollout after learning Android phones were getting stuck in a bootloop. Apparently, the only way out was a factory reset. Not pretty, but hey it’s a beta. [The Verge]
In neat science news, astronomers have finally spotted an accretion disc long theorized to surround the supermassive black hole at the center of our galaxy.
Like most galaxies, our galaxy’s center is a supermassive black hole designated Sagittarius A*. How supermassive? Picture the sun then multiply that size by four million. It’s one of those incredibly large sizes that’s truly impossible to comprehend fully.
The thing about Sag A* is it’s fairly quiet. In other galaxies, astronomers can readily spot evidence of hot disks of orbiting gases, called an accretion disk. When tv shows and moves show a black hole, that swirly stuff that you tend to think of as the black hole is the accretion disk.
But despite being so close to Sag A* (compared to other supermassive black holes), scientists couldn’t find its accretion disk. As it turns out, rather than gobble up everything around it like the monster it is, Sag A* feeds more slowly, and the gasses surrounding it are cooler. That made the disk very hard to spot.
The very unusual characteristics to the center of our galaxy emphasize how much more there is to learn and discover when it comes to the nature of our universe. [Science News]