Multicoin Wallet Tangem Fixes Bug Exposing User Private Keys

• On December 29, Reddit user u/areklanga raised concerns that Tangem had not promptly addressed a security issue, alleging that private keys were stored in email histories and potentially in Tangem's internal systems. The user also mentioned that a prior Reddit post about the issue had been mysteriously deleted.

• Tangem acknowledged the flaw the next day, December 30, and released a bug fix to resolve it.

"When activating a wallet with a seed phrase—by generating or importing one—the private key was mistakenly logged in the mobile app's logs. These logs could later be accessed during interactions with our support team," the project acknowledged in a blog post.

• Affected users include individuals who:

1) Activated a wallet using a seed phrase, AND

2) Contacted Tangem's support team through its dedicated app within 7 days of wallet activation.

"Only a combination of these two scenarios could create a vulnerability. If you generated or imported a seed phrase but did not email support directly from the app within the 7-day log storage period, you could not be affected," said the firm.

• The project estimates that the issue potentially affects less than 0.1% of its user base. Affected users are urged to move their funds out of potentially compromised wallets.
• According to the team, the issue arose from an advanced NFC logging mechanism that contained a bug, which went undetected during the initial code reviews and testing.
• The company also stated that users who activated their wallets without seed phrases remain unaffected, as their private keys are generated directly on Tangem's hardware cards.

Reddit Thread
Tangem Blog Post / Archive

• Do you want more? Subscribe and get No Bullshit GM report straight to your mailbox.
• Follow No Bullshit Bitcoin on Nostr.
• Feedback or news tips? Drop it here.