On December 31st, cryptocurrency wallet provider Tangem released a statement addressing the recent security vulnerability that allowed private keys to be exposed via emails. The fix was implemented after a Reddit discussion highlighted the issue, prompting users to call out Tangem for potentially putting investors’ funds at risk.
Background: The Security Vulnerability
On December 29th, a Redditor known as u/areklanga brought attention to a critical security vulnerability in the Tangem mobile app. According to their post, the wallet provider allowed private keys to remain on email histories, making all Tangem users potentially compromised. The original Reddit post mentioning the glitch was allegedly deleted for unknown reasons.
Tangem’s Response and Bug Fix
In response to the criticism, Tangem acknowledged the issue on December 30th and stated that it arose from a bug in the mobile app’s log processing. The company claimed that the incident had been "fully resolved" with an update released on the same day.
Breakdown of the Situation
Tangem provided a detailed explanation of the situation:
What was the issue? When creating a wallet with a seed phrase, the private key was mistakenly logged in the application’s logs. These logs could later be accessed during interactions with our support team.
The company emphasized that the bug affected only a small group of users who had used a generated seed phrase and immediately submitted a support request through the app within seven days of activation. This means that users without seed phrases or those who did not reach out to support through the app were unaffected.
Limitation of Affected Users
In a statement sent to Cointelegraph, Tangem confirmed that the vulnerability was limited to fewer than 0.1% of users under specific circumstances:
Only users who activated wallets with a seed phrase and contacted support within seven days of activation were potentially affected. Users without seed phrases or those who did not reach out to support through the app were unaffected.
Tangem reassured that no private keys were compromised, no user funds were lost, and no unauthorized account access occurred:
No private keys were compromised, no user funds were lost, and no unauthorized account access occurred.
Handling of the Situation
The company stated that all logs and attachments sent to its support team were permanently deleted, ensuring no residual data remains. Additionally, Tangem confirmed that it had communicated directly with affected users and handled the issue transparently.
Additional Measures Implemented by Tangem
In response to the security vulnerability, Tangem has implemented several additional measures to prevent similar incidents in the future:
- Enhanced Security Protocols: The company has strengthened its security protocols to ensure that private keys are no longer exposed via emails.
- Proactive Outreach Program: Tangem is proactively reaching out to affected users with clear instructions and support.
- Bug Bounty Program: A bug bounty program has been introduced to identify vulnerabilities in exchange for rewards.
Importance of Security and Transparency
The recent security vulnerability highlights the importance of robust security measures and transparent communication in the cryptocurrency industry. As users, it is crucial to stay informed about potential risks and take necessary precautions to protect our funds.
Best Practices for Wallet Providers
In light of this incident, we recommend that wallet providers:
- Implement Robust Security Measures: Regularly review and update security protocols to prevent similar incidents.
- Communicate Transparently: Promptly address user concerns and provide clear explanations of the situation.
- Proactively Reach Out to Affected Users: Ensure that affected users are notified and provided with necessary support.
Conclusion
The recent security vulnerability in Tangem’s mobile app serves as a reminder of the importance of robust security measures and transparent communication in the cryptocurrency industry. By learning from this incident, wallet providers can take proactive steps to prevent similar incidents and ensure user funds remain secure.