{"id":44365,"date":"2024-12-31T15:01:23","date_gmt":"2024-12-31T15:01:23","guid":{"rendered":"https:\/\/crowdfundjunction.com\/blog\/crypto-wallet-tangem-faces-backlash-after-app-bug-exposes-users-private-keys\/"},"modified":"2024-12-31T15:01:23","modified_gmt":"2024-12-31T15:01:23","slug":"crypto-wallet-tangem-faces-backlash-after-app-bug-exposes-users-private-keys","status":"publish","type":"post","link":"https:\/\/crowdfundjunction.com\/blog\/crypto-wallet-tangem-faces-backlash-after-app-bug-exposes-users-private-keys\/","title":{"rendered":"Crypto wallet Tangem faces backlash after app bug exposes users\u2019 private keys"},"content":{"rendered":"<p><b>(Originally posted on : Invezz )<\/b><br \/>\n<\/p>\n<div><\/div>\n<p>Tangem, a cryptocurrency wallet provider, has been embroiled in controversy after a critical security vulnerability in its mobile app exposed some users&#8217; private keys.<\/p>\n<p>According to Tangem, the vulnerability stemmed from a bug in Tangem&#8217;s mobile app, which mistakenly logged users&#8217; private keys in the application&#8217;s logs when a user created a wallet and generated a seed phrase.<\/p>\n<p>Notably, the issue was spotted by Tangem wallet users on the social media platform Reddit but was only addressed by the company after a December 29 <a target=\"_blank\" href=\"https:\/\/www.reddit.com\/r\/Tangem\/comments\/1hougo1\/is_tangem_compromised_or_is_it_scam\/?utm_source=share&amp;utm_medium=web3x&amp;utm_name=web3xcss&amp;utm_term=1&amp;utm_content=share_button\" rel=\"noopener\">post<\/a> from user u\/areklanga drew attention to the issue.<\/p>\n<p>The Redditor claimed that logs were not only stored in the app but also potentially accessible through user email histories, Tangem&#8217;s internal support systems, and ticket-tracking tools.<\/p>\n<p>Adding to the controversy, the original post that flagged the bug was deleted, and the company did not \u201cprovide any sensible reaction,\u201d the user added.<\/p>\n<h2 class=\"wp-block-heading\">What happened?<\/h2>\n<p>Tangem addressed the issue in a December 29 response, claiming the issue had minimal impact and only impacted users who \u201cimmediately submitted a support request through the app\u201d after using a generated seed phrase.<\/p>\n<p>Tangem&#8217;s seed generation process offers users the option to create wallets with or without a seed phrase. When a user opts to create a wallet with a seed phrase, the Tangem app generates a 12 or 24-word phrase based on the BIP39 standard.&nbsp;<\/p>\n<p>This phrase is displayed once during setup, and users are required to write it down and store it securely, as it cannot be retrieved later.<\/p>\n<p>In a follow-up <a target=\"_blank\" href=\"https:\/\/www.reddit.com\/r\/Tangem\/comments\/1hougo1\/comment\/m4jygh9\/?utm_source=share&amp;utm_medium=web3x&amp;utm_name=web3xcss&amp;utm_term=1&amp;utm_content=share_button\" rel=\"noopener\">post<\/a> on December 30, the company said the bug, which was introduced while adding an NFC logging mechanism,&nbsp; was patched in a recent update and urged users to update the mobile application.<\/p>\n<p>Regarding the impact of the breach, the firm said the affected users amounted to \u201cfewer than 0.1%,\u201d users who activated a wallet using a seed phrase and contacted support \u201cwithin 7 days of activation.\u201d<\/p>\n<p>It added that the incident did not lead to any loss of funds as none of the user&#8217;s private keys were compromised.<\/p>\n<p>As a part of its post-incident measures, Tangem has reached out to affected users and permanently deleted all log attachments sent to the company\u2019s support team.&nbsp;<\/p>\n<p>As of writing, Tangem\u2019s response has been limited to Reddit, and it has not made any announcements regarding the incident across its other social media channels. <\/p>\n<p>This has led to some criticism from community members, many of whom remain <a target=\"_blank\" href=\"https:\/\/www.reddit.com\/r\/Tangem\/comments\/1hougo1\/comment\/m4mw152\/?utm_source=share&amp;utm_medium=web3x&amp;utm_name=web3xcss&amp;utm_term=1&amp;utm_content=share_button\" rel=\"noopener\">sceptical<\/a> of the measures taken by the wallet provider.\u00a0\u00a0<\/p>\n<h2 class=\"wp-block-heading\">Private key theft remains a concern<\/h2>\n<p>Private keys remain at risk from various threats, including software vulnerabilities, phishing attacks, and improper storage practices.&nbsp;<\/p>\n<p>As previously <a href=\"https:\/\/invezz.com\/news\/2024\/12\/24\/crypto-hack-losses-doubled-across-centralised-finance-platforms-in-2024-report\/\">reported<\/a> by Invezz, private key theft was the biggest attack vector for 2024, accounting for roughly 75% of all hacks. In the third quarter alone, over $343 million was lost, according to a separate <a href=\"https:\/\/invezz.com\/news\/2024\/09\/26\/wazirx-and-bingx-hacks-lead-q3-accounting-for-69-5-of-losses\/\">report<\/a>.<\/p>\n<p>Private key leaks led to some of the biggest losses for the year as well. For instance, the July hack of the Indian crypto exchange <a href=\"https:\/\/invezz.com\/news\/2024\/11\/29\/wazirx-hack-new-allegations-reignite-debate-over-inside-job-vs-cyberattack\/\">WazirX<\/a> stemmed from compromised private keys, which led to over $235 million in losses.<\/p>\n<p>The post <a href=\"https:\/\/invezz.com\/news\/2024\/12\/31\/crypto-wallet-tangem-faces-backlash-after-app-bug-exposes-users-private-keys\/\">Crypto wallet Tangem faces backlash after app bug exposes users&#8217; private keys<\/a> appeared first on <a href=\"https:\/\/invezz.com\/\">Invezz<\/a><\/p>\n<p><a href=\"https:\/\/invezz.com\/news\/2024\/12\/31\/crypto-wallet-tangem-faces-backlash-after-app-bug-exposes-users-private-keys\/\">Source link <\/a><br \/>\n<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>(Originally posted on : Invezz ) Tangem, a cryptocurrency wallet provider, has been embroiled in controversy after a critical security vulnerability in its mobile app exposed some users&#8217; private keys. According to Tangem, the vulnerability stemmed from a bug in Tangem&#8217;s mobile app, which mistakenly logged users&#8217; private keys in the application&#8217;s logs when a [&hellip;]<\/p>\n","protected":false},"author":3947362366,"featured_media":44366,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[38],"tags":[],"_links":{"self":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/posts\/44365"}],"collection":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/users\/3947362366"}],"replies":[{"embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/comments?post=44365"}],"version-history":[{"count":0,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/posts\/44365\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/media\/44366"}],"wp:attachment":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/media?parent=44365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/categories?post=44365"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/tags?post=44365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}