{"id":5472,"date":"2018-12-06T15:31:46","date_gmt":"2018-12-06T12:31:46","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=5472"},"modified":"2019-11-15T14:35:44","modified_gmt":"2019-11-15T11:35:44","slug":"copay-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/copay-supply-chain-attack\/5472\/","title":{"rendered":"Kripto zincirdeki zay\u0131f halka"},"content":{"rendered":"<p>Neredeyse her geli\u015ftirici \u00fc\u00e7\u00fcnc\u00fc taraf kitapl\u0131klar kullan\u0131r. Milyonlarca geli\u015ftiricinin eserlerini d\u00fcnyayla payla\u015ft\u0131klar\u0131 bu kitapl\u0131klar sayesinde \u00e7\u00f6z\u00fcmlere ula\u015fmak i\u00e7in mevcut mod\u00fcllerden faydalanmak zaman\u0131n\u0131z\u0131 ak\u0131ll\u0131ca de\u011ferlendirmenizi sa\u011flar. Fakat ba\u015fkas\u0131n\u0131n kodlar\u0131n\u0131 kullanmak o kodun geli\u015ftiricisine g\u00fcvenmek anlam\u0131na gelir. Copay kripto c\u00fczdan\u0131n geli\u015ftiricileri BitPay, yak\u0131n ge\u00e7mi\u015fte \u00fc\u00e7\u00fcnc\u00fc taraf a\u00e7\u0131k kaynak kodlar\u0131n\u0131 kullanman\u0131n kusurlu taraflar\u0131n\u0131 g\u00f6rd\u00fc.<\/p>\n<p><a href=\"https:\/\/github.com\/bitpay\/copay\/\" target=\"_blank\" rel=\"noopener nofollow\">Copay<\/a> basit\u00e7e, kullan\u0131c\u0131lar\u0131n\u0131n ortak c\u00fczdanlar olu\u015fturmas\u0131n\u0131 sa\u011flayan \u00e7ok platformlu bir Bitcoin\/Bitcoin Cash <a href=\"https:\/\/www.kaspersky.com.tr\/blog\/cryptowallets\/4838\/\" target=\"_blank\" rel=\"noopener\">kripto para c\u00fczdan\u0131d\u0131r<\/a>. Copay, JavaScript kullan\u0131larak geli\u015ftirilmi\u015ftir ve \u00e7ok say\u0131da \u00fc\u00e7\u00fcnc\u00fc taraf a\u00e7\u0131k kaynak kitapl\u0131\u011f\u0131ndan destek al\u0131r.<\/p>\n<p>Bunlardan bir tanesi de event-stream ad\u0131 verilen bir a\u00e7\u0131k kaynak Node.js mod\u00fcl\u00fcd\u00fcr. S\u00fcr\u00fcm kontrol hizmeti GitHub\u2019da bu mod\u00fcl\u00fcn deposunu y\u00f6neten geli\u015ftirici, projeye ilgisini uzun zaman \u00f6nce kaybeder ve y\u0131llard\u0131r deponun bak\u0131m\u0131yla ilgilenmez. Daha sonra, neredeyse hi\u00e7 GitHub tecr\u00fcbesi olmayan ba\u015fka bir geli\u015ftirici, ilk geli\u015ftiriciden deponun bak\u0131m\u0131n\u0131 yapmak i\u00e7in y\u00f6netici izinlerini ister ve ilk geli\u015ftirici eri\u015fim izinlerini verir.<\/p>\n<p>Yeni geli\u015ftirici hemen i\u015fe koyulur. \u00d6nce event stream kitapl\u0131\u011f\u0131, ayn\u0131 geli\u015ftiricinin GitHub deposundan flatmap-stream ad\u0131nda bir mod\u00fcl kullanmaya ba\u015flar. Ard\u0131ndan mod\u00fclde de\u011fi\u015fiklikler yap\u0131l\u0131r ve k\u00f6t\u00fc ama\u00e7l\u0131 kodlar eklenir. G\u00fcncellemeden \u00fc\u00e7 g\u00fcn sonra bahsetti\u011fimiz geli\u015ftirici flatmap-stream mod\u00fcl\u00fcn\u00fcn k\u00f6t\u00fc ama\u00e7l\u0131 kod bar\u0131nd\u0131rmayan ba\u015fka bir s\u00fcr\u00fcm\u00fcn\u00fc y\u00fckler. Muhtemelen k\u00f6t\u00fc ama\u00e7l\u0131 faaliyetlerini gizlemeyi ama\u00e7lamaktad\u0131r.<\/p>\n<p>B\u00f6ylece event-stream kitapl\u0131\u011f\u0131 ele ge\u00e7irilmi\u015f olur. Bu kitapl\u0131k, sadece BitPay taraf\u0131ndan de\u011fil, ba\u015fka bir\u00e7ok \u015firket taraf\u0131ndan yayg\u0131n olarak kullan\u0131l\u0131yor. \u0130ddia edildi\u011fine g\u00f6re bu durum sadece \u00fc\u00e7 g\u00fcn s\u00fcrm\u00fc\u015f. Ama bu zaten yeterli bir zamand\u0131 ve Copay\u2019in geli\u015ftiricileri kitapl\u0131\u011f\u0131n k\u00f6t\u00fc ama\u00e7l\u0131 i\u00e7erikle de\u011fi\u015ftirildi\u011finin fark\u0131na varmadan projelerinde g\u00fcncellenmi\u015f s\u00fcr\u00fcm\u00fc kulland\u0131lar. G\u00fcncellenmi\u015f kripto c\u00fczdan yaz\u0131l\u0131m\u0131, uygulama ma\u011fazalar\u0131nda yay\u0131nland\u0131 ve bir\u00e7ok kullan\u0131c\u0131 taraf\u0131ndan indirildi.<\/p>\n<p>Belki de Copay geli\u015ftiricileri kulland\u0131klar\u0131 kitapl\u0131kta yap\u0131lan de\u011fi\u015fiklikleri incelemek i\u00e7in zamanlar\u0131n\u0131 harcamak istememi\u015fti. Bug\u00fcnlerde, bir projede kullan\u0131lan kitapl\u0131klar\u0131 g\u00fcncellemek npm gibi paket y\u00f6netim hizmetleri taraf\u0131ndan kolayca otomatik hale getirilebiliyor. Npm sayesinde geli\u015ftiriciler, projelerindeki t\u00fcm \u00fc\u00e7\u00fcnc\u00fc taraf mod\u00fclleri g\u00fcncellemek i\u00e7in sadece tek bir komut \u00e7al\u0131\u015ft\u0131r\u0131yorlar.<\/p>\n<p>Geli\u015ftiriciler, g\u00fcncellenmi\u015f kitapl\u0131klar\u0131 inceleselerdi bile k\u00f6t\u00fc ama\u00e7l\u0131 kodu bulmalar\u0131 kolay olmazd\u0131. Bir projede kullan\u0131lan kitapl\u0131klar, ba\u015fka kitapl\u0131klarla ba\u011flant\u0131l\u0131 olabilir (event-stream ve flatmap-stream ba\u011flant\u0131s\u0131 gibi) ve t\u00fcm bu ba\u011flant\u0131lar\u0131 kontrol etmek \u00e7ok fazla zaman alabilir. Bahsetti\u011fimiz durumda s\u00fcre\u00e7 ekstra karma\u015f\u0131kt\u0131 \u00e7\u00fcnk\u00fc flatmap-stream mod\u00fcl\u00fc \u015fifreliydi.<\/p>\n<p><a href=\"https:\/\/www.ccn.com\/breaking-numerous-bitcoin-wallets-may-have-been-compromised-by-rogue-developer\/\" target=\"_blank\" rel=\"noopener nofollow\">CCN<\/a>\u2018e g\u00f6re flatmap-stream kitapl\u0131\u011f\u0131, hem event-stream hem de copay-dash temelli uygulamalardan \u00f6zel anahtarlar\u0131 (yani kripto c\u00fczdan parolalar\u0131n\u0131) s\u0131zd\u0131rmak i\u00e7in de\u011fi\u015ftirilmi\u015fti. Copay-dash kitapl\u0131klar\u0131n\u0131 kullanan uygulamalar\u0131n da hedef al\u0131nmas\u0131, sald\u0131r\u0131n\u0131n Copay\u2019in yarat\u0131c\u0131lar\u0131 ve copay-dash geli\u015ftiricileri olan BitPay\u2019i hedef ald\u0131\u011f\u0131n\u0131 g\u00f6steriyor. Bu vakada parolalar sadece iki kitapl\u0131k birden kullan\u0131l\u0131yorsa s\u0131zd\u0131r\u0131labilirdi yani s\u0131z\u0131nt\u0131 sadece Copay\u2019in kodunu kullanan \u00fcr\u00fcnlerde ger\u00e7ekle\u015fiyordu.<\/p>\n<p><a href=\"https:\/\/arstechnica.com\/information-technology\/2018\/11\/hacker-backdoors-widely-used-open-source-software-to-steal-bitcoin\/\" target=\"_blank\" rel=\"noopener nofollow\">ArsTechnica<\/a>\u2018ya g\u00f6re k\u00f6t\u00fc ama\u00e7l\u0131 y\u00fck, sald\u0131rganlara kullan\u0131c\u0131lar\u0131n c\u00fczdanlar\u0131na yetkisiz girme ve bu c\u00fczdanlardan para transferi yapma imkan\u0131 sa\u011flam\u0131\u015f. Hata, bir GitHub kullan\u0131c\u0131s\u0131 taraf\u0131ndan fark edildi ve <a href=\"https:\/\/github.com\/dominictarr\/event-stream\/issues\/116#issuecomment-441749105\" target=\"_blank\" rel=\"noopener nofollow\">rapor<\/a> edildi. Fakat k\u00f6t\u00fc ama\u00e7l\u0131 kodlar\u0131 i\u00e7eren Copay c\u00fczdanlar\u0131n\u0131n bir\u00e7ok s\u00fcr\u00fcm\u00fc \u00e7oktan da\u011f\u0131t\u0131lm\u0131\u015ft\u0131 bile. BitPay sonunda durumu kabul etti ve 5.0.2\u2019den 5.1.0\u2019a kadar olan s\u00fcr\u00fcmleri kullanan m\u00fc\u015fterilerine uygulamalar\u0131n\u0131 son s\u00fcr\u00fcm olan 5.2.0\u2019a y\u00fckseltmelerini tavsiye etti. \u015eimdilik etkilenen kullan\u0131c\u0131lar\u0131n say\u0131s\u0131 ve kaybettikleri paran\u0131n miktar\u0131 hakk\u0131nda herhangi bir bilgi mevcut de\u011fil.<\/p>\n<p>Klasik bir tedarik zinciri sald\u0131r\u0131s\u0131 olan bu vakada sald\u0131rgan, uygulaman\u0131n geli\u015ftiricileri taraf\u0131ndan kullan\u0131lan \u00fc\u00e7\u00fcnc\u00fc taraf k\u00fct\u00fcphaneyi ele ge\u00e7irmi\u015fti. Buradaki soruni kim taraf\u0131ndan y\u00f6netildi\u011fi bilinmeyen a\u00e7\u0131k kaynak yaz\u0131l\u0131m kullan\u0131m\u0131ndan kaynaklan\u0131yor. Bu yaz\u0131l\u0131m\u0131n, birka\u00e7 s\u00fcr\u00fcm \u00f6ncesinde \u00e7al\u0131\u015ft\u0131\u011f\u0131 gibi \u00e7al\u0131\u015fmaya devam etti\u011fini kimse garanti edemez. Su\u00e7, a\u00e7\u0131k kaynak yaz\u0131l\u0131m geli\u015ftiricilerinde de\u011fil, onlar \u00fcr\u00fcnlerini olduklar\u0131 gibi hi\u00e7bir \u015fey garanti etmeden sunuyorlar.<\/p>\n<p>Buradaki \u00e7etrefilli mesele Copay\u2019in de a\u00e7\u0131k kaynak olmas\u0131 ve di\u011fer kripto c\u00fczdan geli\u015ftiricileri taraf\u0131ndan yayg\u0131n olarak kullan\u0131lmas\u0131d\u0131r. Yani sorun san\u0131landan da b\u00fcy\u00fck olabilir.<\/p>\n<p>Yaz\u0131l\u0131m (\u00f6zellikle b\u00fcy\u00fck miktarda paralar\u0131 transfer etmekte kullan\u0131lan yaz\u0131l\u0131mlar) sa\u011flayarak para kazanan i\u015fletmeler, yay\u0131nlanmadan \u00f6nce yaz\u0131l\u0131mlar\u0131n\u0131n, projelerinde kullan\u0131lan \u00fc\u00e7\u00fcnc\u00fc taraf kitapl\u0131klar\u0131n yeni s\u00fcr\u00fcmlerinin dikkatli analizleri dahil olmak \u00fczere, g\u00fcvenlik kontrollerinden ge\u00e7ti\u011finden emin olmal\u0131lar.<\/p>\n<p>En iyi uygulama, deponun durumuna g\u00f6z atmak, di\u011fer geli\u015ftiricilerin derecelendirmelerini de\u011ferlendirmek, projenin ne s\u0131kl\u0131kta g\u00fcncellendi\u011fini ve son g\u00fcncellemenin \u00fczerinden ne kadar zaman ge\u00e7ti\u011fini kontrol etmek ve hata kayd\u0131n\u0131 taramakt\u0131r. Herhangi bir gariplik daha derin ara\u015ft\u0131rmalara veya ba\u015fka bir mod\u00fcle ge\u00e7meye sebep olabilir.<\/p>\n<p>B\u00f6yle bir kitapl\u0131kta i\u015fler yanl\u0131\u015f giderse su\u00e7lanmas\u0131 gerekenler kitapl\u0131\u011f\u0131n geli\u015ftiricileri olsa da m\u00fc\u015fteriler, bu kitapl\u0131\u011fa ba\u011fl\u0131 yaz\u0131l\u0131m\u0131 sa\u011flayan \u015firketi su\u00e7lar. Tabii ki a\u00e7\u0131k kaynak \u00fcr\u00fcnleri kullanmay\u0131n demiyoruz ama \u00e7ok dikkatli olman\u0131z\u0131 \u00f6neriyoruz.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Neredeyse her geli\u015ftirici \u00fc\u00e7\u00fcnc\u00fc taraf kitapl\u0131klar kullan\u0131r. Milyonlarca geli\u015ftiricinin eserlerini d\u00fcnyayla payla\u015ft\u0131klar\u0131 bu kitapl\u0131klar sayesinde \u00e7\u00f6z\u00fcmlere ula\u015fmak i\u00e7in mevcut mod\u00fcllerden faydalanmak zaman\u0131n\u0131z\u0131 ak\u0131ll\u0131ca de\u011ferlendirmenizi sa\u011flar.<\/p>\n","protected":false},"author":675,"featured_media":5473,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1194,1727],"tags":[1781,374,1780,1544,1611],"class_list":{"0":"post-5472","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-acik-kaynak","10":"tag-bitcoin","11":"tag-copay","12":"tag-kripto-para","13":"tag-tedarik-zinciri"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/copay-supply-chain-attack\/5472\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/copay-supply-chain-attack\/14735\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/copay-supply-chain-attack\/12342\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/copay-supply-chain-attack\/16652\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/copay-supply-chain-attack\/14843\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/copay-supply-chain-attack\/13824\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/copay-supply-chain-attack\/17443\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/copay-supply-chain-attack\/16652\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/copay-supply-chain-attack\/21845\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/copay-supply-chain-attack\/24786\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/copay-supply-chain-attack\/10102\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/copay-supply-chain-attack\/18176\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/copay-supply-chain-attack\/22088\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/copay-supply-chain-attack\/21585\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/copay-supply-chain-attack\/21584\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/tedarik-zinciri\/","name":"tedarik zinciri"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/5472","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/675"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=5472"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/5472\/revisions"}],"predecessor-version":[{"id":6875,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/5472\/revisions\/6875"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/5473"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=5472"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=5472"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=5472"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}