Cryptocurrency Wallet Provider Tangem Fixes Critical Security Vulnerability

Update: December 31, 12:40 pm UTC

This article has been updated to include Tangem’s statement to Cointelegraph on the security vulnerability, the fix, and its handling of the situation.

A Critical Security Vulnerability in Tangem’s Mobile App

Cryptocurrency wallet provider Tangem has recently fixed a critical security vulnerability in its mobile app that allowed certain users’ private keys to be collected via emails. The fix came after Redditors repeatedly called out Tangem for putting investors’ funds at risk by exposing their private keys on email accounts and making them accessible to Tangem employees.

The Vulnerability and Its Consequences

On December 29, a Reddit discussion about Tangem’s operations gained traction, claiming that the wallet provider allowed private keys to remain on email histories. The Redditor, u/areklanga, added that Tangem had not provided a "sensible reaction" when the issue was pointed out earlier.

So, user private keys remain in both user email history, Tangem email history, and perhaps in some Tangem ticket tracking system and are available for Tangen employees. Which makes all Tangem users compromized.

They also claimed that the original Reddit post mentioning the glitch "was deleted for some reason."

Tangem’s Response and Fix

Tangem acknowledged the issue on December 30 and said the incident arose from a bug in the mobile app’s log processing, which had been "fully resolved." Tangem provided a breakdown of the situation:

What was the issue? When creating a wallet with a seed phrase, the private key was mistakenly logged in the application’s logs. These logs could later be accessed during interactions with our support team.

Tangem got a new update on December 30. Source: Google Play

According to the company’s Reddit post, the bug affected a small group of users, and they are being contacted proactively for caution and support:

It could have affected a very limited group of users: specifically, those who used a generated seedphrase, then immediately submitted a support request through the app. It does not affect any other users.

In a statement sent to Cointelegraph, Tangem confirmed that the vulnerability was limited to fewer than 0.1% of users under specific circumstances. Only users who activated wallets with a seed phrase and contacted support within seven days of activation were potentially affected. Users without seed phrases or those who did not reach out to support through the app were unaffected.

No private keys were compromised, no user funds were lost, and no unauthorized account access occurred,

Tangem said in the statement, addressing concerns raised by the crypto community.

Tangem’s Handling of the Situation

Tangem’s official website, which logs all version updates of its mobile application, did not mention the details about the December 30 update at the time of publication. Tangem also confirmed in its Reddit response that "all logs and attachments sent to its support team were permanently deleted, ensuring no residual data remains."

Accusations of Downplaying the Situation

While Tangem pushed out an update on December 30 to prevent further leaks of seed phrases, some crypto community members called out the wallet provider’s muted response. However, Tangem told Cointelegraph that it had communicated directly with affected users and handled the issue transparently.

Tangem had not made any announcements on its social media channels, Twitter, Discord, or Telegram at the time of publication on December 31. However, all Tangem users are advised to immediately update their mobile applications to avoid potential seed phrase leaks.

Additional Measures Implemented by Tangem

In response to the issue, Tangem told Cointelegraph that it has implemented several additional measures, including:

  • Enhanced security protocols
  • A proactive outreach program to notify affected users with clear instructions and support
  • A bug bounty program to identify vulnerabilities in exchange for rewards.

Related Articles

  • Scammers Share Crypto Keys Aiming to Steal from Wannabe Thieves: Kaspersky

The crypto community has been abuzz with the news of Tangem’s security vulnerability. While some users have expressed concern about the wallet provider’s handling of the situation, others have praised its transparency and proactive measures in addressing the issue.

As the cryptocurrency market continues to evolve, security remains a top priority for investors and wallet providers alike. The incident serves as a reminder of the importance of robust security protocols and transparent communication in maintaining trust within the community.

Subscribe to Our Newsletter

Stay up-to-date with the latest DeFi developments, sharp analysis, and financial opportunities by subscribing to our newsletter. Delivered every Friday, our toolkit will help you make informed decisions with confidence.

Subscribe now and stay ahead of the curve!

By subscribing, you agree to our Terms of Service and Privacy Policy