UPDATED | February 6, 2018:
Ledger provided additional information on the measures it is taking to address this vulnerability. First and foremost among them: it will add a step to the workflow of the "Ledger Wallet Bitcoin Chrome application" which encourages each user to double-check that the key on their wallet's screen matches the one on their computer monitor. While the post suggests that customers will be "required to verify" this match, it appears that that fix leaves room for user error. The statement also says that "ETH and XRP apps will benefit from the feature in the new global release."
The company is encouraging its users "to find bugs, or security vulnerabilities," and says, "While our bounty program has not been officially launched yet, there is already a dedicated mail address set up."
ORIGINAL | February 5, 2018:
Ledger, a company that offers cryptocurrency wallets, acknowledged on February 3 that all of its hardware wallets are affected by a vulnerability which could allow a malicious party to provide clients with false receive addresses, so that cryptocurrency that is intended to be received by the customer would end up in an attacker's wallet instead.
A twitter account run by the company issued a tweet that included a hyperlink to a report detailing the vulnerability. The researchers behind the document did not identify themselves, referring to themselves only as "we."
As Ledger says on an instructional page of its website, a "Ledger wallet generates a new address each time you want to receive a payment." (The page was updated on February 5, and when ETHNews accessed it, the quoted text and other information pertinent to the vulnerability was highlighted in red.)
Both the report and documentation available from Ledger offer guidance on how to verify that a bitcoin receive address is correct. As Ledger puts it, "Click on the button looking like a monitor under the QRCODE. It will show the address on the [screen of the hardware wallet itself]. It is very important to verify that you see the same address" in both places, because if the one on a user's monitor does not match the one on their wallet's screen, then the address on their monitor is incorrect.
According to the report, however, such a module is not available on Ledger's Ether wallet interface. "The Ethereum App (and possibly other apps as well) has no mitigation, the user has no way to validate if the receive address has been tampered." Therefore, its authors recommend that "If you're using the Ethereum App – Treat the ledger hardware wallet the same as any other software-based wallet, and use it only on a Live CD operating system that is guaranteed to be malware-free. At least until this issue receives some kind of fix."
By press time, Ledger had not responded to an ETHNews inquiry on whether this vulnerability threatens to affect the sending and receiving of Ether tokens.
The document also relates that the researchers behind it reached out to Ledger with their findings, and on January 27, the company's CTO told them that "no fix/change would be done (our recommendation to enforce the user to validate the receive address has been rejected), but they will work on raising public awareness so that users can protect themselves from such attacks."
A page on Ledger's website under the header "Basic security principles (must read)," which was also updated on February 5, cautions users that "Using a hardware wallet doesn't make you invincible… Don't trust, verify."