ZenGo is warning users about a cryptography vulnerability that affects devices running an unpatched version of Windows 10. The CVE-2020–0601 vulnerability was first uncovered by the NSA, and was later picked up by ZenGo, which gave it the much catchier “CurveBall” moniker.
So how does CurveBall work? In plain terms, a hacker seeking to exploit CurveBall can leverage the vulnerability to trick Windows 10 users into visiting seemingly legitimate sites, where they will then be prompted to install malware that is masquerading as (again) seemingly legitimate programs and updates. That malware can then be used to steal funds from a web wallet, or mine personal information in a manner akin to the malicious Google Play apps recently detailed by Buguroo.
CurveBall only affects web wallets and Windows 10 desktops that have not yet downloaded the latest Windows Update, which will effectively fix the problem. For those who are unsure about the status of their computer, ZenGo has created a CurveBall test page that will tell them whether or not their machine is still exposed to the vulnerability.
To give its own consumers some additional peace of mind, ZenGo stressed that its own cryptocurrency wallet was built exclusively for mobile platforms, and was not built in a Windows production environment. The organization also noted that CurveBall is specifically related to the way Windows validates certificates, and not the cryptography itself. That means that the platform is not vulnerable to the exploit, and the same is true for any blockchains that use Elliptic Curve Cryptography, including Bitcoin and Ethereum.
In November, ZenGo updated its app to offer support for stablecoin cryptocurrencies. Shortly before that, the company also teamed up with Unbound Tech and Sepior to form the MPC Alliance, which was set up to encourage more organizations to adopt multiparty computation technology.