Operation JASK (Just A Single Keystroke named by core member Nitin) took place on the 23rd of July 2018 where several members from hackers.mu fixed a Regular Expression which caused an attacker to retrieve sensitive signature data, which could forge someone’s identity.
The vulnerability was found mainly in gpg.sh and was disclosed as CVE-2018-12356
hackers.mu has patched 21 bitcoin projects as listed below:
|Yasir||bitcoin2x, kredsBlockchain, sparkscrypto|
|Nigel||Bitcoin Gold, Qtum, BitCore, BitcoinX, Bitcoin Diamond, Digibyte||Bitcoin Gold|
|Muzaffar||Monacoin, Binarium, Terracoin, Monoeci, Bitcoin-Atom, coruus/cooperpair||Monacoin, Binarium, Terracoin|
Writing Regular Expressions is something which should be unit tested properly as a single character can mess things up (just like in the GPG signing). A flaw in signatures will definitely put bitcoin projects at risk – that’s why we are here!
Core member Loganaden got in touch with GitHub as he believes the signature process is not as it should be. GitHub said that they have forwarded this issue to the concerned department but it seems that this issue is being overlooked.
Stay tuned for more contributions!