Users who never visited any of the buy/sell options (Bity, Wyre, Bitrefill, Ionia, Xanpool, LibertyX, Bitaccess, Bits of Gold, and Banxa (bank transfer only)) would not be exposed to this vulnerability at all. In addition, we intend to push a release that will alert users if their wallet keys have been uploaded to Edge log servers (based on the matching public address). We are expediting this process and hope to have a release available within the week. New development has immediately started to make the transfer of funds to new keys a simple process in just a few clicks. *** Users can see a step-by-step guide on how to transfer funds here. New wallets in an existing account will not have the exposure to the vulnerabilities involving its private key. To secure funds, we urge users to create new wallets – a new account does not need to be created, just a new wallet inside of the account – and transfer funds from old wallets to newly created wallets. This release fixes all known vulnerabilities involving wallet private keys and immediately deletes all prior logs off disk. We are continuing investigation including deep device forensics to determine if malware may have had access to the unencrypted private keys on disk.Īt this time, we urge all Edge users to update to the latest version of Edge (v3.3.1) which is available in the Google Play Store, Apple App Store, and via direct download on our website. Through this, we ascertain that there has not been a wide sweeping compromise of Edge infrastructure which would have compromised a vast majority of funds on such keys.ĭue to the narrow nature by which a user’s keys may have been compromised and the very little mention we’ve received from users with missing funds, currently amounting to low 5 figures in USD, we believe this incident has very limited scope and may be a targeted attack on the users affected. In addition, a spot check of several dozen private keys show that many still have funds remaining. This amounts to less than 0.01% of the approximate total keys created on the Edge platform. The upload would need to occur shortly after visiting the buy/sell screen, as new log entries eventually push away old entries.īased on visibility of keys on the Edge logs server, this vulnerability has compromised approximately 2000 private keys by sending them to Edge infrastructure. Logs would include the private key if the upload was done after the entry into one of the buy/sell options. Used the “Upload Logs” feature in Edge, which would send logs to Edge servers.This action would log the unencrypted private key of the currently-selected wallet to the device’s disk. Enter one of the following options available from the “Buy” or “Sell” tabs in the bottom navigation bar: Bity, Wyre, Bitrefill, Ionia, Xanpool, LibertyX, Bitaccess, Bits of Gold, Banxa (bank transfer only, not credit card or Apple Pay).Since Edge uses individual master private keys for each wallet, we determined that the user’s account was not logged into by an attacker, but that only the private key of their Bitcoin wallet was compromised.Īfter further investigation, we determined that the Edge application contained a vulnerability that would leak private keys once a user performs not one, but both of the following actions: All other funds on their Edge account were intact. On Feb 20, 2023, Edge senior staff were made aware of a security incident whereby a user had experienced an unauthorized transaction which swept the full amount of their Bitcoin wallet.
0 Comments
Leave a Reply. |