The Old Trust Wallet iOS vulnerability from 2018 may still affect some accounts.
An old vulnerability in the Trust Wallet iOS app could still affect individuals who have created an account — even if they no longer use Trust Wallet — according to a recent report by security researchers at SECBIT Labs. The vulnerability only existed between February 5 and August 21, 2018, and does not affect accounts created after that time, the researchers said. However, some users may be unaware of the vulnerability and still considering using vulnerable wallets.
The vulnerability was caused by two functions called TrustBag in the Trezor library that were meant to be used for testing purposes only. However, despite developer notes warning developers against using it, Trust Wallet accidentally included these functions in its iPhone wallet app, SECBIT said. This bug reportedly allowed attackers to guess some users' private keys and steal their funds. According to SECBIT, these accounts are still vulnerable.
This newly disclosed vulnerability is said to be separate and distinct from the Trust Wallet browser extension flaw that the Trezor team acknowledged in April 2023.
Responding to SECBIT's claims in a blog post on February 15, TrustWallet said the vulnerability affected only a few thousand users, who had all been notified and migrated to new wallets. TrustWallet said it patched the vulnerability in July 2018 and the app is currently safe to use.
SECBIT found a vulnerability in the Trust Wallet iOS app
The research team On July 12, 2023, it said that it had fixed the bug by investigating a widespread attack on crypto wallets that affected more than 200 crypto accounts. Many of the compromised accounts were stored on devices that had not been used for months or had no internet access, making them extremely difficult to hack. The victims also used many different wallet applications, with TrustWallet and CleverWallet being the most commonly used. This piqued the curiosity of the researchers, making it difficult to determine the cause of the abduction.
After further investigation, the researchers found that most of the victims' addresses first received funds between July and August 2018. However, soon after this discovery, their investigation ended and they moved on to other research.
Then on August 7, 2023, Distrust's cybersecurity team announced that it had discovered a vulnerability in the Libitcoin Explorer Bitcoin (BTC) app. This Libbitcoin vulnerability, called “MilkSad,” allowed attackers to guess users' private keys. After reading about this alleged flaw, the SECBIT team began to suspect that a similar flaw might have caused the July 12 attack.
The researchers reopened the investigation and began looking at versions of the Trust Wallet code published between July and August 2018. Since this time, you have discovered that the iOS versions of the app use the “random32()” and “random_buffer()” functions from Trezor's crypto. iOS library for creating notepads.
These functions had developer notes not to use them in production applications. For example, random32() notes, “The following code should not be used in a production environment. […] The library is included only to make it testable. […] The message above tries to prevent any accidental use outside of the test environment.
After examining the code, the researchers reportedly discovered that it randomly generated unguarded seed words to prevent attackers from guessing. This means that any Trust Wallet account created on an iOS device during this period is at risk of being compromised, SECBIT said.
Related: US probes Trust Wallet iOS app for vulnerability
In its report, SECBIT said it generated a database of hacked addresses, which it then forwarded to the TrustWallet team. He also compared these addresses to the victims of the July 12 hack and found that 83% of the victims had wallets created by the random32() and random_buffer() functions.
When confronted with this information, Trust Wallet told SECBT that it privately notified users in 2018. He also emphasized that the addresses have zero balances and therefore do not warn against losing money. SECBIT urged Trust Wallet to publicly disclose the vulnerability, but Trust Wallet did not comply. The firm said it published its findings after Trust Wallet failed to make it public.
Despite the critical report, SECBIT pointed out that Trust Wallet is open source, so some other wallet developers may have forked the code and caused users to generate vulnerable addresses, or another wallet developer may have independently made the same mistake as Trust Wallet. Using the Trezor crypto iOS library from now on to create addresses. Researchers opined:
“Of course, Trust's Pocket may not be the only one to have misused the Trezor-Cryto library. There may be many other unknown projects with similar vulnerabilities. One could even blame it for quietly turning the trezor-crypto library into an unreliable default implementation and introducing fatal flaws to projects that use it as a dependency.
According to SECBIT, Trezor updated its library on July 16, 2018, adding production-ready versions of the two functions. However, the vulnerability may still affect some users who created accounts in early 2018 but never sent money to them, the researchers said.
Trust the wallet's response
Cointelegraph has reached out to TrustWallet for comment. In response, a representative pointed to the group's Feb. 15 official statement on the matter. In this statement, the development team emphasized that the current version of Trust Wallet does not increase the vulnerability.
A spokesperson said: “We want to ensure trusted Wallet users that their money is safe and that the Wallets are safe to use. Although the year While a previous vulnerability in our open source code affected only a few thousand users in early 2018, the vulnerability was quickly patched with support from the security community – and affected users were notified and migrated to a safe place. bags”
Trust Wallet has pushed back against claims that it didn't adequately inform users. “The founder of Loyalty Wallet has taken quick and proactive steps to notify all users and provide them with a secure migration path,” the spokesperson said, “ensuring that no user is vulnerable.”
Trust Wallet has denied that most of the hacks are related to accounts generated by the app. Only “600 of the 2,000 hacked addresses” were found in the user database, indicating that most of the victims were not TrustWallet users. Some of those 600 users could have imported their addresses from another app, TrustWallet said.
Contrary to SECBIT's statement, 83% of victim addresses were miscoded, Trust Wallet said, “only one-third of them have Trust Wallet's 2018 historical vulnerability.” In its report, the group encouraged security researchers to use its bug bounty program and said it was committed to protecting the wallet.
Related: Trust is the best strategy in the crypto bear market – Trust Wallet CEO
In the year In a report dated July 12, 2023, Clever Wallet confirmed that some of the victims of the attack had used the app. But he said all the addresses were imported and not originally created by Clever.
Cointelegraph has reached out to Trezor for comment. In response, the company's chief technology officer, Tomasz Sushanka, emphasized that the main function of the argument is intended only for testing, and not for official project development.
“[The function is] As exactly described in the source code, the function is not intended for use in a production environment, and we provide clear warnings for this. The function is replaced by a secure RNG on Trezor itself. This function is only for testing. We love open source, but it's unrealistic to expect us to prevent abuse of many of the projects we've made open source. THESE PROJECTS ARE PROVIDED AS IS WITHOUT WARRANTIES, AS THE LICENSE EXPRESSLY DISCLOSES.
In a SECBIT report, researchers warned iOS users with Trust Wallet accounts to migrate to new wallets and stop using old ones. “It is very concerning that users are still able to use wallets created during the vulnerability period,” he said. “Unbeknownst to them, they may face additional financial losses.”
