Tangem, a cryptocurrency wallet provider, has been embroiled in controversy after a critical security vulnerability in its mobile app exposed some users’ private keys.
According to Tangem, the vulnerability stemmed from a bug in Tangem’s mobile app, which mistakenly logged users’ private keys in the application’s logs when a user created a wallet and generated a seed phrase.
Notably, the issue was spotted by Tangem wallet users on the social media platform Reddit but was only addressed by the company after a December 29 post from user u/areklanga drew attention to the issue.
The Redditor claimed that logs were not only stored in the app but also potentially accessible through user email histories, Tangem’s internal support systems, and ticket-tracking tools.
Adding to the controversy, the original post that flagged the bug was deleted, and the company did not “provide any sensible reaction,” the user added.
What happened?
Tangem addressed the issue in a December 29 response, claiming the issue had minimal impact and only impacted users who “immediately submitted a support request through the app” after using a generated seed phrase.
Tangem’s seed generation process offers users the option to create wallets with or without a seed phrase. When a user opts to create a wallet with a seed phrase, the Tangem app generates a 12 or 24-word phrase based on the BIP39 standard.
This phrase is displayed once during setup, and users are required to write it down and store it securely, as it cannot be retrieved later.
In a follow-up post on December 30, the company said the bug, which was introduced while adding an NFC logging mechanism, was patched in a recent update and urged users to update the mobile application.
Regarding the impact of the breach, the firm said the affected users amounted to “fewer than 0.1%,” users who activated a wallet using a seed phrase and contacted support “within 7 days of activation.”
It added that the incident did not lead to any loss of funds as none of the user’s private keys were compromised.
As a part of its post-incident measures, Tangem has reached out to affected users and permanently deleted all log attachments sent to the company’s support team.
As of writing, Tangem’s response has been limited to Reddit, and it has not made any announcements regarding the incident across its other social media channels.
This has led to some criticism from community members, many of whom remain sceptical of the measures taken by the wallet provider.
Private key theft remains a concern
Private keys remain at risk from various threats, including software vulnerabilities, phishing attacks, and improper storage practices.
As previously reported by Invezz, private key theft was the biggest attack vector for 2024, accounting for roughly 75% of all hacks. In the third quarter alone, over $343 million was lost, according to a separate report.
Private key leaks led to some of the biggest losses for the year as well. For instance, the July hack of the Indian crypto exchange WazirX stemmed from compromised private keys, which led to over $235 million in losses.
The post Crypto wallet Tangem faces backlash after app bug exposes users’ private keys appeared first on Invezz
