Cryptocurrency enthusiasts who rely on Ledger hardware wallets to keep their coins safe ought to exercise extreme caution when sending funds: sticky-fingered hackers might be out to re-route your digital cheddar away from your intended recipient and straight to their own wallets instead.
The company has taken to Twitter to remind users to “always verify [their] receiv[ing] address” on their devices’ screen manually by using the “monitor screen” button at the bottom of each transaction request form.
Referring to a recent vulnerability report from DocDroid, Ledger acknowledged that its hardware wallets suffers from a flaw that makes it possible for attackers to infect it with malware, designed to trick you into sending your cryptocurrency to the hackers.
What is even worse is that – due to Ledger’s design which requires new addresses be generated consistently – users have no viable options to “verify the integrity of the receive address.” This could dupe users into thinking the displayed receiving address is indeed authentic, while this might not at all be the case.
The DocDroid report further indicates that all Ledger software could be exploited and modified by even unprivileged malware, which means attackers could abuse its system without any need to gain administrative rights.
more updates from ledger: https://www.ledger.fr/2018/02/05/man-middle-attack-risk/