search

iancoleman / bip39

A web tool for converting BIP39 mnemonic codes
https://iancoleman.io/bip39/
MIT License
3.57k stars 1.45k forks source link

Malicious Clone Scripts #173

Closed cryptopivot closed 6 years ago

cryptopivot commented 6 years ago

Example altered script. http://ledger.3utilities.com/lcc/

How can these type clones be checked against your open source trusted script?

As a mod for LCC and a HTML/MySQL/PHP dev. I must say, this script is out of my ability to test.

We work to protect out community against dangers, see attached source code, in event link is removed. lcc-clone.txt

iancoleman commented 6 years ago

This tool has signed hashes for each release (see releases).

It isn't perfect, and it's really only useful for technical users, but it's something.

I don't know of any way to prevent malicious clones.

The steps to check the downloaded version from releases are:

In a linux terminal generate the hash of the standalone html file

$ sha256sum bip39-standalone.html

check the hash matches the signed hash, and verify the signature is valid

$ gpg --verify signature.txt.asc

If the hash doesn't match the file has been modified (potentially maliciously) and should not be used without fully checking the entire source code. This is probably not possible for most people.

If the signature is invalid there is no way to check if the file has been modified from the original.