Leading Bitcoin Pioneer Criticizes Ripple Sharply
Latest on Google News: Peter Todd Slams Ripple Over Security Flaw
In a scathing tweet storm, Peter Todd, the highly recognized Bitcoin developer and alleged Satoshi Nakamoto candidate from the 2024 HBO documentary, called out Ripple for a security breach in their JavaScript library, xrpl.js. This library is used for interacting with the XRP Ledger.
Todd recalled a 10-year-old warning he had given about such vulnerabilities.
As reported by U.Today, Ripple CTO David Schwartz admitted to the existence of malicious code in the library, first spotted by Aikido Security. The backdoor allowed for the sending of private keys to a questionable domain, enabling attacks to pilfer the private keys of those using the compromised versions of the XRP Ledger Software Development Kit (SDK).
Previously, Todd had released a paper suggesting that Ripple's security was at risk due to their unwillingness to offer a cryptographic PGP signature verifying their code. This potentially paved the way for hackers to inject malicious code and distribute a tampered version of the software. Unbelievably, a similar attack came to fruition a decade later, with an NPM compromise leading to the malicious backdoor.
Schwartz acknowledged the validity of Todd's warning "at that time" in February.
On the other hand, Todd admitted that his own software library is not PGP signed because the Python Package Index (PyPi) stopped supporting such downloads. He sarcastically remarked, "In fairness, at the moment, my python-bitcoinlib library isn't PGP signed for most users because PyPi made the idiotic decision to phase out PGP signatures. But my hands are tied on that; the entire software industry is incompetent."
This controversy underscores the necessity of stringent security measures like verifying code integrity through methods like PGP signing, as advocated by Bitcoin developer Peter Todd. Despite the hullabaloo, key XRP services like Xaman Wallet and XRPScan remained unscathed, having employed safer versions of the library.
Enrichment Insights:
- The security flaw compromise was part of a complex software supply chain attack.
- Ripple promptly responded to the issue, with Schwartz confirming the security flaw, and a patch was quickly issued to rectify the issue.
- Specific versions of the library such as v4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2 were affected while newer versions like v4.2.5 and 2.14.3 are safe.
- The recent security breach in Ripple's JavaScript library, xrpl.js, has sparked a debate about the importance of code integrity, initiated by Peter Todd.
- Todd, a well-known Bitcoin developer, criticized Ripple for a 10-year-old security vulnerability silently exploited through a malicious backdoor.
- This backdoor allowed for the sending of private keys to a questionable domain, potentially exposing millions of dollars in cryptocurrency to cyber attacks.
- Ripple CTO David Schwartz admitted to the existence of the malicious code, first discovered by Aikido Security, and acknowledged the validity of Todd's warning in February.
- Despite his own wallet library, python-bitcoinlib, not being PGP signed due to PyPi's decision, Todd emphasized the necessity of PGP signing for ensuring code integrity in the crypto industry.
- Ironically, despite the controversy surrounding Ripple, key XRP services like Xaman Wallet and XRPScan avoided the breach, as they employed safer versions of the library.
