Tangem Addresses Security Flaw That Exposed Users’ Private Keys

Cryptocurrency wallet provider Tangem has resolved a critical security vulnerability in its mobile app that exposed private keys of certain users during email interactions with support. The issue came to light following community concerns and a detailed Reddit discussion on December 29.

The Issue at Hand

A Reddit user, “u/areklanga,” revealed that Tangem’s app logged private keys in its internal system and email communications. This process potentially allowed Tangem employees to access sensitive user information. “User private keys remain in both user email history, Tangem email history, and perhaps in some Tangem ticket tracking system,” the user stated.

The issue caused an uproar in the crypto community, as it highlighted the risk of exposing private keys, which could compromise wallet security.

Tangem’s Response

On December 30, Tangem acknowledged the vulnerability, attributing it to a bug in the app’s log processing function. In a statement shared on Reddit, the company explained, “When creating a wallet with a seed phrase, the private key was mistakenly logged in the application’s logs. These logs could later be accessed during interactions with our support team.”

Tangem confirmed that the bug affected fewer than 0.1% of users under specific conditions. Only those who activated wallets with a seed phrase and contacted support within seven days were potentially at risk. The company assured users that no funds were lost and no unauthorized account access occurred.

Measures Taken

Tangem has resolved the issue and deleted all logs received by its support team. Additionally, the company implemented the following measures:

• Enhanced security protocols to prevent future vulnerabilities.
• A bug bounty program to identify potential flaws.
• Direct outreach to affected users with clear instructions and support.

Tangem advised all users to update their mobile apps immediately to mitigate any potential risks.

Community Concerns

Despite addressing the bug, Tangem faced criticism for its communication strategy. Community members expressed frustration over the lack of public announcements on social media platforms like Twitter, Discord, and Telegram.

Some accused the company of downplaying the severity of the issue. “While they claim that only a ‘very small group of users’ was affected, how many users had their keys written in plain text to their phones?” one Redditor questioned.

Moving Forward

Tangem has pledged greater transparency and stronger security measures moving forward. However, the incident underscores the importance of robust security practices in the cryptocurrency space, where the loss of private keys can have severe consequences.