Last updated:
Journalist
Hassan Shittu
Journalist
Hassan Shittu
Share
Why Trust Cryptonews
Ad Disclosure
We believe in full transparency with our readers. Some of our content includes affiliate links, and we may earn a commission through these partnerships. Read more
Cryptocurrency wallet provider Tangem has addressed a critical security vulnerability in its mobile app that could have exposed certain users’ private keys via email.
The vulnerability was discovered after discussions on Reddit highlighted the risks to users’ funds. Redditors criticized Tangem for exposing the private keys to email accounts and making them accessible to its employees.
Tangem’s Wallet Vulnerability: What Happened?
On Dec. 29, a Reddit user, u/areklanga, raised the alarm, claiming Tangem had failed to address the issue promptly. They alleged that private keys were stored in email histories and possibly in Tangem’s internal systems.
The user further noted that an earlier Reddit post pointing out the problem was mysteriously deleted. Tangem acknowledged the flaw on Dec. 30 and released a bug fix to address the issue.
In a statement addressing the issue, Tangem assured its users that the problem had been fully resolved.
The company said,
“We sincerely appreciate your feedback regarding this issue and want to assure you that it has been fully resolved, At Tangem, we prioritize transparency, security, and trust, and we take matters like these extremely seriously.”
According to Tangem, the vulnerability stemmed from a bug in the app’s log processing system.
This flaw affected a limited group of users who created wallets using seed phrases and contacted the support team directly through the app.
These logs, which included private keys, were accessible for a short period before being deleted.
The company clarified that users who activated their wallets without seed phrases were unaffected, as their private keys are generated directly on Tangem’s hardware cards.
The company explained:
“Private keys do not exist with such setups, therefore they are unable to be extracted by anyone, not even Tangem.”
While the overall impact was minimal, affecting fewer than 0.1% of users, Tangem acknowledged the seriousness of the situation.
“We recognize the trust you place in Tangem, and we are fully committed to maintaining that trust by upholding the highest standards of security and transparency.”
Tangem Fixes Security Bug, Promises No Private Key Compromises
Tangem swiftly responded by identifying the bug, fixing it, and updating the app to ensure that private keys are no longer logged under any circumstances.
To further safeguard users, the company has permanently deleted all logs and attachments sent to its support team and implemented enhanced security protocols to prevent similar issues in the future.
Tangem is also reaching out directly to potentially affected users, providing clear instructions on securing their accounts.
The company is urging all users to update to the latest version of the Tangem app for optimal security.
Additionally, Tangem highlighted its active bug bounty program, which incentivizes security researchers and ethical hackers to identify system vulnerabilities.
Tangem reassured its community that no private keys were compromised, no funds were lost, and no unauthorized access occurred due to the bug.
Despite the fix, some crypto community members criticized Tangem for its lack of transparency.
As of Dec. 31, the company had not announced the issue on its social media platforms, including Twitter, Discord, or Telegram.
