According to a recent report by SECBIT Labs, an old vulnerability in the Trust Wallet iOS app may still pose a risk to users who created accounts during a specific time period, even if they no longer use the app. This vulnerability, which was only present from Feb. 5 to Aug. 21, 2018, does not affect accounts created after that time. However, there are some users who may not be aware of this vulnerability and may still plan on using their exposed wallets.
The vulnerability was caused by two functions in the Trust wallet’s Trezor library that were only intended for testing purposes. Despite warnings from developers not to use these functions, they were accidentally included in the iPhone wallet app. This mistake allowed attackers to potentially guess the private keys of certain users and steal their funds. According to SECBIT, even now, these accounts are still at risk.
This newly discovered vulnerability is separate from the browser extension flaw that was acknowledged by the Trezor team in April 2023. In a response to SECBIT’s claims, Trust Wallet stated in a blog post on Feb. 15 that the vulnerability only affected a small number of users, all of whom were notified and migrated to new wallets. Trust Wallet also assured users that the vulnerability was patched in July 2018 and that the app is currently safe to use.
SECBIT uncovers vulnerability in Trust Wallet iOS app
During their investigation of a widespread attack on cryptocurrency wallets, the SECBIT research team discovered a flaw in the Trust Wallet iOS app. The attack occurred on July 12, 2023 and affected over 200 crypto accounts, many of which had not been used in months or were stored offline. The victims used various wallet apps, with Trust Wallet and Klever Wallet being the most common. This made it difficult to determine the cause of the hack, sparking the researchers’ interest.
Upon further examination, the team found that most of the affected accounts had received funds between July and August 2018. However, their investigation hit a dead end and they moved on to other projects.
On August 7, 2023, Distrust cybersecurity team claimed to have discovered a vulnerability in the Libbitcoin Explorer Bitcoin (BTC) app, called “Milk Sad”. This flaw allowed attackers to guess users’ private keys. After learning about this issue, the SECBIT team suspected that a similar vulnerability may have caused the July 12 attack.
The researchers revisited the Trust Wallet code from July to August 2018 and found that the iOS versions of the app used the “random32()” and “random_buffer()” functions from Trezor’s crypto iOS library to generate mnemonic phrases. These functions were not recommended for use in production apps, as stated in the developer notes. Despite this warning, the researchers discovered that the generated seed words were not random enough, making it possible for an attacker to guess them. This put any Trust Wallet account created on an iOS device during that time at risk of being drained.
SECBIT claimed to have compiled a database of compromised addresses and shared it with the Trust Wallet team. They also compared these addresses with the victims of the July 12 attack and found that 83% of them were generated using the “random32()” and “random_buffer()” functions. When confronted with this information, Trust Wallet allegedly stated that they had already notified users privately in 2018. They also emphasized that the compromised addresses had zero balances and could not be used to steal funds. However, SECBIT urged Trust Wallet to publicly disclose the vulnerability, which they failed to do. As a result, SECBIT published their findings.
Despite their critical report, SECBIT noted that Trust Wallet is open-source, which means that another wallet developer may have forked the code and caused their users to generate vulnerable addresses. It is also possible that another wallet developer independently made the same mistake by using the Trezor crypto iOS library from that time period. According to the researchers, Trezor updated their library on July 16, 2018, but the vulnerability may still affect users who created accounts in early 2018 but never sent funds to them.
The Response from Trust Wallet
When contacted by Cointelegraph, Trust Wallet provided a statement regarding the issue. The team emphasized that the current version of Trust Wallet is not affected by the vulnerability. They reassured users that their funds and wallets are safe to use. The team also stated that a previous vulnerability in their open-source code was quickly patched with the help of the security community, and affected users were notified and migrated to secure wallets.
Trust Wallet refuted claims that they did not sufficiently inform users about the vulnerability. They stated that their founder took immediate action to inform all impacted users and provide them with a secure migration path. They also clarified that only a small portion of the hacked addresses were generated by their app, and the majority of victims were not Trust Wallet users. Trust Wallet also mentioned their bug bounty program and their commitment to keeping their wallet secure.
In a report from July 12, 2023, the Klever wallet confirmed that some of the victims also used their app, but all of the addresses were imported and not originally created by Klever.
When asked for comment, Trezor’s chief technology officer, Tomáš Sušánka, emphasized that the function at the center of the controversy was only intended for testing and not for official project development.
SECBIT’s report advised iOS users with Trust Wallet accounts from the affected time period to migrate to new wallets and stop using the old ones. They expressed concern that users may still be using vulnerable wallets without knowing it, which could result in further loss of funds.
Subscribe to our email newsletter to get the latest posts delivered right to your email.
Comments