Incorrect Account Used for Signing@metamask/eth-ledger-bridge-keyring
@metamask/eth-ledger-bridge-keyring prior to 0.2.2 may use incorrect accounts for signing transactions.
The vulnerability impacts cases where the user signs a personal message or transaction without first adding the account. This includes cases where the user has already added the account in a previous session (i.e. they added the account, reset the application, then signed something). The serialization/deserialization process does restore a previously added account, but it doesn't restore the index instructing the keyring to use that account for signing. As a result, after serializing then deserializing the keyring state, the account at index 0 is always used for signing even if it isn't the current account.
Any usage of this package to sign with a BIP44 account other than the first account may be vulnerable. If a user is signing with the first account (i.e. the account at index 0), or with the legacy MEW/MyCrypto HD path, they are not affected.
Upgrade to version 0.2.2 or later.
publishedAdvisory PublishedMay 20th, 2020
reportedReported by UnknownMar 26th, 2020