undefined | Better HN

0 pointsjay_kyburz2y ago0 comments

If this is an AI response, it's one I approve. Wordy, yet entertaining. Opinionated, but sharing my opinions.

0 comments

Yet it doesn't seem to really answer the question.

I get that what we're looking at a browser extension that relies on a bunch of webshit, some of which was malware.

As somebody not versed in "web3" specific webshits, I thought the point of a hardware token is that there was some kind of verification on the device itself. So this doesn't seem sufficient to "drain" a wallet - right?

My assumption would be that the computer running the malware never gets the key material directly, rather it submits some request to the hardware token, which prompts the user with the details on some external physical display. The user reviews the details, then does something in meatspace that causes the hardware token to sign the something in question and pass it back to the software on the PC.

So isn't it the case that the user would have to approve the malware drain transaction themselves? And if not... what's the point of these devices, anyway?

woah2y ago

Not sure if anyone actually read my original post. The problem is that Ethereum transactions are not especially human readable so they are commonly signed blind. As you point out, this is a problem.

cxr2y ago

So it wasn't the case that dynamically loading and executing a blob of unreviewed third-party code containing the offending section is what was responsible for those transactions being initiated. Oh wait, it was.

1 more reply

j / k navigate · click thread line to collapse