The maintainers of the Bitmessage P2P encrypted communications protocol have released a fix after discovering that hackers were using a zero-day in attempts to steal Bitcoin wallet files from users' computers.
The attacks came to light yesterday, and the zero-day affects PyBitmessage, a Python-based Bitmessage desktop client for Linux, Mac, and Windows.
"If you are using PyBitmessage 0.6.2 or later, please shutdown [your PyBitmessage app] and wait until you see a commit in the repo that fixes it," said Peter Surda, Bitmessage core developer, in a Bitmessage text posted on a public chat. "This is not a drill, the exploit can have serious consequences."
"[The zero-day] allows a remote execution, but it probably crashed for most people before it could execute anything," Surda added. "In the logs, I see attempts to run a Windows executable and to steal Electrum [Bitcoin] wallet files."
"The exploit is triggered by a malicious message if you're the recipient (including joined chans)," said Surda on Reddit.
"The attacker ran an automated script but also opened, or tried to open, a remote reverse shell," Surda added. "The automated script looked in ~/.electrum/wallets, but when using the reverse shell he had access to other files as well."
Surda believes the attackers are actively going after Bitcoin wallet files, which may contain private keys. These private keys are passwords for Bitcoin-storage accounts and will allow attackers to transfer funds out of victims' wallets.
All Bitmessage users should change their wallet passwords (if users employed additional wallet security) or move Bitcoin funds into new wallets with different private keys.
Surda also released version 0.6.3.2 of PyBitmessage to address the flaw. Mac and Windows binaries will be released in the coming days.
Bitmessage is a lesser-known instant messaging client that supports encrypted communications. Users talk to each other via hashed IDs in the form of BM-2cVJ8Bb9CM5XTEjZK1CZ9pFhm7jNA1rs46.
The zero-day could have been exploited to steal other types of files besides Bitcoin wallets, which Bitmessage devs or victims may not be aware at the time of writing.
It is highly recommended that users change all passwords —system and browser-stored credentials— just to be sure they're on the safe side, an opinion shared by Surda.
"If you have a suspicion that your computer was compromised, please change all your passwords and create new Bitmessage keys," he said. "Also, don't contact me on my old addresses, my keys were most likely also compromised."
Bitmessage is also a protocol often used by ransomware developers as a way for victims to get in touch and negotiate a ransom payment. It wouldn't be a surprise if some ransomware authors lost Bitcoin funds as well.