About 2000 private keys were exposed in a security issue, according to mobile crypto wallet Edge.
As they carry out their investigations, the business has recommended consumers to update to the most recent version of the Edge Wallet. Edge identified a flaw in the app that could allow the disclosure of private keys in an urgent notification on February 22.
Over 2000 private keys were compromised by the vulnerability by being sent to Edge infrastructure since keys were visible on the Edge logs server.
This represents less than 0.01% of the about total number of keys created on the platform, according to Edge. However, the business reaffirmed that user payments were remained secure and that the Edge log servers had not been compromised.
“A spot check of several dozen private keys show that many still have funds remaining. Through this, we ascertain that there has not been a wide sweeping compromise of Edge infrastructure which would have compromised a vast majority of funds on such keys.”
According to Edge, the attack took place on February 20. A user who experienced an unauthorized transaction that removed money from their Bitcoin wallet notified the staff of the attack.
Only bitcoin (BTC) was taken; all other assets were left alone. As Edge creates unique master private keys for each wallet, the business concluded that only the user’s bitcoin wallet’s private key had been hacked and not their account.
Edge said that they had only received a small number of reports of users missing funds totaling under $5 million USD, suggesting that the incident may have been a deliberate attempt to target the users.
The group identified a few activities that might have resulted in a private key vulnerability. The first was the encrypted private key for the wallet would have been stored on the device’s disk if a user chose particular choices under the buy and sell tabs.
The second scenario was if users chose to upload logs, which would send the logs—along with the private key, assuming the buy and sell options were chosen—to the Edge servers.
“We are continuing investigation including deep device forensics to determine if malware may have had access to the unecrypted private keys on disk.”
Since then, the business has recommended users to update to the most recent version of Edge (v3.3.1), which can be downloaded directly from their website, the Google Play Store, and the App Store.
The new update, according to them, promptly deletes all previous logs from disk and solves all known vulnerabilities concerning wallet private keys.
