Edge Wallet security vulnerability leaks 2000 private keys

Mobile crypto wallet Edge has announced a security incident where about 2000 private keys have been leaked. The company has urged users to update to the latest version of the Edge Wallet as they further their investigations.

In an urgent notice on Feb. 22, Edge discovered a vulnerability on the app that would leak private keys.

Urgent notice:

We have identified a security vulnerability in Edge which has the potential to have affected a subset of users.

All users should read the blog post linked below and take immediate action:https://t.co/soWkf8U17k

— Edge (@EdgeWallet) February 22, 2023

Due to the visibility of keys on the Edge logs server, the vulnerability compromised approximately 2000 private keys by sending them to Edge infrastructure.

According to Edge, this amounts to less than 0.01% of the approximate total number of keys created on the platform.

The company, however, confirmed that the Edge log servers had not been compromised and that user funds are still intact.

“A spot check of several dozen private keys show that many still have funds remaining. Through this, we ascertain that there has not been a wide sweeping compromise of Edge infrastructure which would have compromised a vast majority of funds on such keys.”

Edge press statement

Edge said the attack occurred on Feb. 20, and the staff was alerted by a user who experienced an unauthorized transaction that swept funds from their Bitcoin wallet. The attacker only stole bitcoin (BTC) and left other assets.

Since Edge uses individual master private keys for each wallet, the company determined that only the private key of their bitcoin wallet was compromised and not the user’s account.

Edge further stated that they received only a few complaints of users missing funds, amounting to low 5 figures in USD, indicating that the incident may have been a targeted attack on the users.

The team discovered a few actions that could have led to a vulnerability in private keys. The first was if a user selected specific options under the buy and sell tabs, which would have resulted in logging the wallet’s encrypted private key onto the device’s disk.

The second was if the users used the upload logs feature, which would send the logs to the Edge servers, including the private key, if the buy and sell options were selected.

“We are continuing investigation including deep device forensics to determine if malware may have had access to the unecrypted private keys on disk.”

Edge press statement

The company has since urged users to update their latest version of Edge (v3.3.1), which is available on Google Play Store, App Store, and a direct download on their website.

The new release, they said, fixes all known vulnerabilities involving wallet private keys and immediately deletes all prior logs off disk.