Signature verification vulnerability in Stark Bank ecdsa libraries

GHSA-9wx7-jrvc-28mm

Published Nov 8, 2021 · Modified Dec 6, 2024

Description

An attacker can forge signatures on arbitrary messages that will verify for any public key. This may allow attackers to authenticate as any user within the Stark Bank platform, and bypass signature verification needed to perform operations on the platform, such as send payments and transfer funds. Additionally, the ability for attackers to forge signatures may impact other users and projects using these libraries in different and unforeseen ways.

References

WEB https://github.com/starkbank/ecdsa-python/commit/d136170666e9510eb63c2572551805807bd4c17f
WEB https://github.com/starkbank/ecdsa-dotnet
WEB https://github.com/starkbank/ecdsa-java
WEB https://github.com/starkbank/ecdsa-node
PACKAGE https://github.com/starkbank/ecdsa-python
WEB https://github.com/starkbank/ecdsa-python/compare/v2.0.0...v2.0.1
WEB https://github.com/starkbank/ecdsa-python/releases/tag/v2.0.1
WEB https://research.nccgroup.com/2021/11/08/technical-advisory-arbitrary-signature-forgery-in-stark-bank-ecdsa-libraries

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes