SECBIT Labs Uncovers Persistent Vulnerability in Trust Wallet's iOS App
Summary:
SECBIT Labs has discovered a lingering vulnerability in the iOS app of Trust Wallet, potentially affective individuals who created accounts from February 5 to August 21, 2018. The flaw was introduced by two testing functions inadvertently incorporated into its iPhone wallet software, enabling bad actors to decipher private keys and steal assets. Despite Trust Wallet confirming a fix for the flaw, SECBIT maintains that the bug may still affect some users.
A lingering security flaw in Trust Wallet's iOS application could potentially impact users, including those who no longer utilize the platform, as reported by the cyber experts at SECBIT Labs. The vulnerability was active from February 5 to August 21, 2018, affecting accounts created during this window. Many users remain oblivious to the bug and might still be operating with compromised wallets.
The flaw was introduced unintentionally by two testing functions that were called upon by Trust Wallet through a Trezor library, SECBIT noted. These functions mistakenly incorporated into the iPhone wallet software hence, potentially enabling nefarious actors to decipher the users' private keys and pilfer their assets. Accounts linked to these situations are still exposed, SECBIT warned.
SECBIT clarified that this vulnerability is unrelated to the browser extension issue that Trust Wallet addressed in April 2023. In response to the findings, Trust Wallet confirmed in their February 15 blog post that only a handful of users were affected by the vulnerability, all of whom have been informed and transferred to safer wallets.
SECBIT stumbled upon the vulnerability while probing into an extensive cryptocurrency hack that occurred on July 12, 2023, affecting over 200 digital wallets. The hack victimized wallets that were either inactive for a long time or were secured on devices without internet connectivity, posing a challenge for the investigators. After thorough investigation, SECBIT identified a potential correlation between the vulnerability and a bug in the Libbitcoin Explorer Bitcoin (BTC) app known as “Milk Sad”, which was discovered by the Distrust cybersecurity team on August 7, 2023.
SECBIT's study revealed that the affected wallets were primarily populated with funds between July and August 2018. Moreover, they found that the insecure functions used by Trust Wallet to generate keywords were easily guessable by attackers. SECBIT identified these under-protected accounts and conveyed its findings to Trust Wallet in addition to emphasizing that the vulnerability should be made public.
SECBIT acknowledged that other wallet developers might have made similar errors given that Trust Wallet's code is freely available. They reported that the Trezor team updated their library with secure versions of the cited functions on July 16, 2018. That said, some users who created their accounts in the early part of 2018 might still be vulnerable if they have never moved their funds.
Trust Wallet confirmed in a public statement that the flaw no longer exists in their current app, ensuring the safety of the users' assets. They also refuted claims of inadequate information given to their users about the issue.
Reviewing the victim addresses, Trust Wallet discovered that just a third of them were linked to the mentioned flaw and that of the affected 2,000 addresses, only 600 were generated by its app. In its defense, Trust Wallet claimed that some of these addresses might have been imported from other platforms. They encouraged security experts to partake in their bounty program for identifying vulnerabilities, underlining their commitment to security.
The Klever wallet acknowledged in a July 12, 2023 report that some of the affected accounts had utilized its service. Nevertheless, it asserted that these addresses were imported and not originally generated by Klever.
Trezor's Chief Technology Officer, Tomáš Sušánka, noted that the controversial function's application was solely for testing purposes, as stipulated explicitly in its source code. He further pointed out the unrealistic expectation of preventing misuse in open-source projects.
In conclusion, SECBIT urged users of Trust Wallet during the vulnerable time to migrate to new wallets and abandon the compromised ones. They stressed the potential risk of further financial losses due to the unawareness of the issue.
Published At
3/12/2024 4:00:00 PM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.