{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/credential-forgery/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["credential-forgery","ruby","bsv-sdk","bsv-wallet"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003ebsv-sdk\u003c/code\u003e and \u003ccode\u003ebsv-wallet\u003c/code\u003e Ruby gems are vulnerable to credential forgery due to a signature verification bypass in the \u003ccode\u003eacquire_certificate\u003c/code\u003e function. This function, present in both gems, persists certificate records to storage without properly verifying the certifier\u0026rsquo;s signature. An attacker can exploit this vulnerability through two acquisition paths: by directly supplying certificate fields (direct path) or by controlling a certifier endpoint (issuance path). This allows the attacker to forge identity certificates that are then treated as authentic by other functions like \u003ccode\u003elist_certificates\u003c/code\u003e and \u003ccode\u003eprove_certificate\u003c/code\u003e. The vulnerability affects \u003ccode\u003ebsv-sdk\u003c/code\u003e versions \u0026gt;= 0.3.1 and \u0026lt; 0.8.2, and \u003ccode\u003ebsv-wallet\u003c/code\u003e versions \u0026gt;= 0.1.2 and \u0026lt; 0.3.4. This vulnerability was identified during a cross-SDK compliance review conducted on 2026-04-08.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to a system that uses either the \u003ccode\u003ebsv-sdk\u003c/code\u003e or \u003ccode\u003ebsv-wallet\u003c/code\u003e Ruby gem.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes the \u003ccode\u003eacquire_certificate\u003c/code\u003e function with \u003ccode\u003eacquisition_protocol: 'direct'\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker supplies arbitrary certificate fields, including a forged \u003ccode\u003esignature\u003c/code\u003e, a \u003ccode\u003ecertifier\u003c/code\u003e, \u003ccode\u003eserial_number\u003c/code\u003e, and \u003ccode\u003erevocation_outpoint\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker invokes the \u003ccode\u003eacquire_certificate\u003c/code\u003e function with \u003ccode\u003eacquisition_protocol: 'issuance'\u003c/code\u003e and specifies a malicious certifier URL they control.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eacquire_certificate\u003c/code\u003e function persists the attacker-supplied certificate data to storage without verifying the certifier\u0026rsquo;s signature.\u003c/li\u003e\n\u003cli\u003eThe attacker or a downstream process invokes \u003ccode\u003elist_certificates\u003c/code\u003e or \u003ccode\u003eprove_certificate\u003c/code\u003e to retrieve the forged certificate.\u003c/li\u003e\n\u003cli\u003eThe application trusts the forged certificate as authentic, leading to credential forgery and potential unauthorized access or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to forge identity certificates attributed to arbitrary certifier identities. This can lead to credential forgery, where the attacker can assert false attributes about a subject. Applications relying on the wallet\u0026rsquo;s certificate store for identity attributes, such as KYC assertions or role claims, become vulnerable to credential forgery. This is a credential-forgery primitive, not merely a spec divergence from BRC-52.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ebsv-sdk \u0026gt;= 0.8.2\u003c/code\u003e or \u003ccode\u003ebsv-wallet \u0026gt;= 0.3.4\u003c/code\u003e to patch the vulnerability. These versions implement signature verification using \u003ccode\u003eBSV::Wallet::CertificateSignature\u003c/code\u003e and raise \u003ccode\u003eBSV::Wallet::CertificateSignature::InvalidError\u003c/code\u003e for invalid certificates.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, do not expose \u003ccode\u003eacquire_certificate\u003c/code\u003e (either acquisition protocol) to untrusted callers, as described in the Workarounds section of this brief.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, treat any record returned by \u003ccode\u003elist_certificates\u003c/code\u003e / \u003ccode\u003eprove_certificate\u003c/code\u003e as unverified and perform an out-of-band BRC-52 verification against the certifier\u0026rsquo;s public key before acting on it.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T20:28:10Z","date_published":"2026-04-09T20:28:10Z","id":"/briefs/2026-04-bsv-credential-forgery/","summary":"The bsv-sdk and bsv-wallet packages are vulnerable to credential forgery because the `acquire_certificate` function persists certificate records to storage without verifying the certifier's signature, allowing attackers to forge identity certificates.","title":"bsv-sdk and bsv-wallet Credential Forgery Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-bsv-credential-forgery/"}],"language":"en","title":"CraftedSignal Threat Feed — Credential-Forgery","version":"https://jsonfeed.org/version/1.1"}