Tangem collecting user seedphrases?

[OmegaStarScream]

The issue in a few words (from the Tangem team):

What was the issue? When creating a wallet with a seed phrase, the private key was mistakenly logged in the application’s logs. These logs could later be accessed during interactions with our support team.
---

Who could be potentially affected by this? This statement applies to users who: a. Activated a wallet using a seed phrase. b. Contacted our support team through the app within 7 days of activation. It is only by combining these two factors that there could have been a potential vulnerability. If you generated or imported a seed phrase but did not email support directly from the app within the log storage period, you were not affected.

The statement from the company: https://www.reddit.com/r/Tangem/comments/1hougo1/comment/m4jygh9/?context=3

Article: https://cointelegraph.com/news/tangem-security-vulnerability-fixed-private-key-leak

[satscraper]

~

I have  activated ^{around  a year ago} my Tangem via SEED but never communicated with support, thus it would not impose any issue for me, nevertheless I have updated my wallet to the latest release, ^{thanks for head up}.

BTW. Just for curiosity I have  simulated ^{right now} the communication with the support ^{to see what the relevant message contains} and have found that there is an opt to edit what is going to be send to them.

[_act_]

I have  activated ^{around  a year ago} my Tangem via SEED but never communicated with support, thus it would not impose any issue for me, nevertheless I have updated my wallet to the latest release, ^{thanks for head up}.

I thought you were using Foundation Passport. Or probably you have many of the hardware wallets.

There was a post about it on collectibles which I also posted on. I think I will prefer to use wallet on airgapped device instead. Some people might have lost their coins thinking hardware wallet are very safe.

OmegaStarScream thanks for making this understandable.

[satscraper]

I thought you were using Foundation Passport. Or probably you have many of the hardware wallets.

To keep  the main stash in BTC I do  use  Foundation Passport ^{batch 2}.However for on the go spending I utilize Tangem 2 which is used to top up my crypto cards ^{largely  with USDT} . I have mentioned this here. You may look on my posts ^{particularly this one} , relevant to Tangem in dedicated thread. Tangem is very easy-to-use in the course of every day routine ^{that is why I added this wallet to my arsenal.}

[dkbit98]

Nobody should be surprised when things like this happens to closed source hardware wallets and their crap app
I really don't understand why anyone would use tangem products when they already have great open source alternative called Satochip.
They are both in exact credit card format but users have much more freedom and choice with all Satochip products.

I will remind everyone to STOP using all hardware wallets that are not open source.

[satscraper]

I really don't understand why anyone would use tangem products when they already have great open source alternative called Satochip.

Regarding me, I choose tangem ^{instead of Satochip} for its unique backup scheme. The other reason - they are going to issue the next generation ^{Visa approved} cards with enabled  crypto payments via  Tangem Pay . Thus the use of their current cards  permit me to get better understanding of Tangem technique. Sure both Tangem and Satochip are not recommended ^{by me} for the big BTCstash.

I'm active Tangem user and recommend it for small sum at  on-the-go payment.

@dkbit98, just of my curiosity, I wonder whether you  have the hand on experience in working  with Satochip.

[ABCbits]

Who let their programmer add code which log seed phrase or other sensitive data? Anyway, looking at their blog post[1] makes it clear Tangem company trying to downplay this security vulnerability. They use term "Potential Vulnerability" which is wrong since people can reproduce the security vulnerability.

[1] https://tangem.com/en/blog/post/tangem-resolves-log-issue/

[DaveF]

Who let their programmer add code which log seed phrase or other sensitive data? Anyway, looking at their blog post[1] makes it clear Tangem company trying to downplay this security vulnerability. They use term "Potential Vulnerability" which is wrong since people can reproduce the security vulnerability.

[1] https://tangem.com/en/blog/post/tangem-resolves-log-issue/

I would have said 'low risk' instead of potential.

If you didn't sent the logs to them with a support request within the time before the info was overwritten or auto purged the data never left the phone.

If you have other things on your phone that are snooping on other logs and reading / scanning / sending that info to malicious people you have many many many larger issues. Since the info was in a location that only the Tangem app should have access to.

Nobody should be surprised when things like this happens to closed source hardware wallets and their crap app
I really don't understand why anyone would use tangem products when they already have great open source alternative called Satochip.
They are both in exact credit card format but users have much more freedom and choice with all Satochip products.

I will remind everyone to STOP using all hardware wallets that are not open source.

The part that sent the keys was and still is 100% open source. So, even if the cards were open source this still would have happened.

-Dave

[satscraper]

The part that sent the keys was and still is 100% open source. So, even if the cards were open source this still would have happened.

-Dave

Nice catch. And as I have already said there is an option to see what you are sending to support and edit the message. Thus, those who sent them their log with SEED were careless people who preferred not to  take the trouble of  reading  what they are sending. I would not create a strained atmosphere relevant to Tangem.

[joniboini]

Who let their programmer add code which log seed phrase or other sensitive data?

I'm wondering about the same thing. Maybe this is unintended behavior, who knows really? They did claim it was a bug. I'd be surprised if one of their QA tester or dev noticed this in production and greenlit it since seedphrases safety is crucial for their product brand image. Then again we know companies make confusing decisions that make people distrust them like Ledger.

[NotATether]

BTW. Just for curiosity I have  simulated ^{right now} the communication with the support ^{to see what the relevant message contains} and have found that there is an opt to edit what is going to be send to them.

Edit what exactly? You mean it just opens a notepad and lets you arbitrarily modify the log file?

Assuming there wasn't some sort of vulnerability like this in the first place, who would want to do that? Most people don't read log files. It's mainly a feature for the developers and its sent automatically without modification.

[ABCbits]

Who let their programmer add code which log seed phrase or other sensitive data? Anyway, looking at their blog post[1] makes it clear Tangem company trying to downplay this security vulnerability. They use term "Potential Vulnerability" which is wrong since people can reproduce the security vulnerability.

[1] https://tangem.com/en/blog/post/tangem-resolves-log-issue/

I would have said 'low risk' instead of potential.

If you didn't sent the logs to them with a support request within the time before the info was overwritten or auto purged the data never left the phone.

If you have other things on your phone that are snooping on other logs and reading / scanning / sending that info to malicious people you have many many many larger issues. Since the info was in a location that only the Tangem app should have access to.

Fair point, since it require action from user or the device is compromised (either due to jailbreak or use very old OS).

Who let their programmer add code which log seed phrase or other sensitive data?

I'm wondering about the same thing. Maybe this is unintended behavior, who knows really? They did claim it was a bug. I'd be surprised if one of their QA tester or dev noticed this in production and greenlit it since seedphrases safety is crucial for their product brand image. Then again we know companies make confusing decisions that make people distrust them like Ledger.

Being unintended is possible, since dumping data to log is a way to debug program. But QA, code reviewer, security reviewer or anyone with similar position could've noticed it and ask for change.

[satscraper]

BTW. Just for curiosity I have  simulated ^{right now} the communication with the support ^{to see what the relevant message contains} and have found that there is an opt to edit what is going to be send to them.

Edit what exactly? You mean it just opens a notepad and lets you arbitrarily modify the log file?

Tap three dots in the upper right corner of the app, tap contact support, It shows the content  of the message ^{which can be edited directly within app} plus app_logs.txt attached which can be deleted by pressing "x" at the attachment. Regarding app_logs.txt, I think  there  is a way to reach this file on my Android and analyze it . Should check this at my spare time.

UPD. Wasting no time, found the easy way how to look at app_logs.txt. At the top of message tap To field, tap Remove, isert into To-field  you own email address   and send to yourself app_logs.tx attached. ^shazam

Most people don't read log files.

Agreed, most people are careless.

[Mitchell]

Who let their programmer add code which log seed phrase or other sensitive data? Anyway, looking at their blog post[1] makes it clear Tangem company trying to downplay this security vulnerability. They use term "Potential Vulnerability" which is wrong since people can reproduce the security vulnerability.

[1] https://tangem.com/en/blog/post/tangem-resolves-log-issue/

What the actual fuck. That code was clearly not reviewed (or they don't have a proper process in place).

[DaveF]

Who let their programmer add code which log seed phrase or other sensitive data? Anyway, looking at their blog post[1] makes it clear Tangem company trying to downplay this security vulnerability. They use term "Potential Vulnerability" which is wrong since people can reproduce the security vulnerability.

[1] https://tangem.com/en/blog/post/tangem-resolves-log-issue/

What the actual fuck. That code was clearly not reviewed (or they don't have a proper process in place).

Going to repost something I have posted here and reddit and github and other places over time.

So more or less quoting myself.

There are countless open source apps out there run by millions and millions of people that have still had major security vulnerabilities in them for years. Open souure does not mean shit in terms of security. All it means that if people want to and have the ability to understnd it they can check what is going on. Most people don't since unless you fully understand every function and every step you can't be sure that the one section you didn't fully comprehend was the bad one.

Examples sshd and openssl 2 things that you know run on 90% of the servers on the internet: https://www.logpoint.com/en/blog/the-story-of-regresshion/

https://www.threatintelligence.com/blog/openssl-vulnerabilities

And lets not forget the Apache log4j screw up: https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance

I can go on with dozens of other examples if you want.


So the code could have been reviewed. But people missed it.

If 1000s of people reviewing the above projects over years and years missed some (after the fact) totally obvious issues like these then a smaller company missing something like this is GOING TO HAPPEN.

Or to put it another way.

OPEN SOURCE IS NOT MORE SECURE. OPEN SOURCE ALLOWS PEOPLE TO SEE WHAT IS HAPPENING. AND POSSIBLY FIND MISTAKES THAT OTHERS HAVE MADE. BUT UNLESS THE PEOPLE LOOKING AT IT SEE THE MISTAKE AND REPORT IT THEN IT'S NO BETTER THEN CLOSED SOURCE.

Ending rant.

-Dave

[Cricktor]

OK, Tangem is apparently a display-less smartcard. I admit, I don't know much about this device.

Now, what did the developers not understand, that a private key or seed of a hardware wallet should never leave the device? I wonder how such a basic paradigm of hardware wallets could be intentionally broken? (Don't ask about the Ledger crap...)

I can imagine that for support or debugging purposes such a "device" needs to provide a bit more extensive logs as there's no status lights or display or whatever. But still I don't get why a log is created on a "hot" online device with the most precious secrets of the wallet exposed.

[DaveF]

OK, Tangem is apparently a display-less smartcard. I admit, I don't know much about this device.

Now, what did the developers not understand, that a private key or seed of a hardware wallet should never leave the device? I wonder how such a basic paradigm of hardware wallets could be intentionally broken? (Don't ask about the Ledger crap...)

I can imagine that for support or debugging purposes such a "device" needs to provide a bit more extensive logs as there's no status lights or display or whatever. But still I don't get why a log is created on a "hot" online device with the most precious secrets of the wallet exposed.

For the longest time you could NOT get a seed from a Tangem card.
People kept freaking out about recovering it in case something happened to all their cards so Tangem gave in to them and allowed you to see your seed on your phone when you created your wallet.
Now the app has always loged a fair amount of data, none of it security compromising.

When they re-wrote the app to display your seed it was understandably logged for testing / debugging.

And then, someone screwed up and did not take the logging out when they pushed it to production.

So if you did send your logs out to them for support before they were overwritten they got a copy of your seed.

Which proves that people love to talk about open source but nobody reads / understands a lot of it even when they use it.

-Dave

[Meuserna]

When they re-wrote the app to display your seed it was understandably logged for testing / debugging.

And then, someone screwed up and did not take the logging out when they pushed it to production.

So if you did send your logs out to them for support before they were overwritten they got a copy of your seed.

Which proves that people love to talk about open source but nobody reads / understands a lot of it even when they use it.

Actually, this proves the importance of being fully open source.

If the app wasn't fully open source, the logging might not have been spotted.  And if someone at Tangem realized it was there, they could have used it maliciously.

But since the app is fully open source, the logging code was found, leading to it being removed.

Even if the average Joe Shmoe doesn't understand why open source matters, being open source helps to keep them safe.

Being open source matters.  I'll never trust my Bitcoin to closed source code.

[dkbit98]

just of my curiosity, I wonder whether you  have the hand on experience in working  with Satochip.

Yes I worked with them on a project for creating special edition designed Satochip cards.
This was announced, posted publicly in bitcointalk forum, and I think most of the cards sold very quickly.
I stand by that Satochip is 10 times better than Tangem in every way.

The part that sent the keys was and still is 100% open source. So, even if the cards were open source this still would have happened.

This is NOT firmware and I was talking about that.
They app is super crap, and it's not important it if is claimed to be partially open source when it can't be compiled.
They are deceivers and amateurs, so anyone choosing to trust them is playing Russian roulette.

[PrivacyG]

Open Source or not, my advice is that less known Hardware Wallets should not be the choice for storing significant value.  If a crucial mistake is done in the coding, it is one thing for Trezor and another for Tangem.  Trezor has how many users versus Tangem?  Which I presume also increases the likelihood that somebody finds the problem in the code faster for the Trezor Source Code than for the Tangem.

Stick to either Trezor or, if further paranoid, let Hardware Wallets be maybe only the portable Hardware Wallet for when you travel and keep the stash on an Airgapped Computer.  That solves about 100 percent of these type of problems.