Remaining Vulnerability: Old Trust Wallet iOS Bug Still Poses Risk

According to a recent report from security researchers at SECBIT Labs, an old vulnerability in the Trust Wallet iOS app may still pose a risk to individuals who created accounts with it, even if they no longer use the app. The vulnerability existed between February 5 and August 21, 2018, and only impacts accounts created during that time period. Some users may be unaware of the vulnerability and may still be using the exposed wallets. The vulnerability was caused by two functions in the Trezor library that were mistakenly included in the Trust Wallet app, allowing attackers to guess the private keys of some users and steal their funds. SECBIT claims that these accounts are still vulnerable.

It is important to note that this vulnerability is different from a separate flaw in Trust Wallet’s browser extension, which was acknowledged by the Trezor team in April 2023. In a blog post responding to SECBIT’s claims, Trust Wallet stated that the vulnerability only affected a few thousand users, who were all notified and migrated to new wallets. Trust Wallet assured that the vulnerability was patched in July 2018 and that the app is currently safe to use.

SECBIT Labs discovered this vulnerability while investigating a widespread attack on crypto wallets that took place on July 12, 2023, affecting over 200 cryptocurrency accounts. Many of the attacked accounts had not been used for months or were stored on offline devices, making them difficult to hack. The victims used various wallet apps, with Trust Wallet and Klever Wallet being the most commonly used. This made it challenging to identify the cause of the hack. Upon further investigation, SECBIT found that most of the victims’ addresses had received funds between July and August 2018, leading them to suspect a flaw in Trust Wallet.

SECBIT researchers examined versions of the Trust Wallet code published between July and August 2018 and discovered that the iOS versions of the app during that time used functions from Trezor’s crypto iOS library that were not intended for production use. These functions generated seed words that could be guessed by attackers, putting any Trust Wallet account at risk of being drained.

SECBIT claimed to have compiled a database of compromised addresses and shared it with the Trust Wallet team. They compared these addresses with the victims of the July 12 hack and found that 83% of the victims had wallets generated using the vulnerable functions. Trust Wallet allegedly informed SECBIT that they had already notified users privately in 2018 and highlighted that the compromised addresses had zero balances, so there was no risk of losing funds. SECBIT insisted that Trust Wallet publicly disclose the vulnerability, but the company did not comply, leading SECBIT to publish its findings.

SECBIT noted that Trust Wallet is an open-source project, suggesting that other wallet developers may have forked the code and unwittingly caused their users to generate vulnerable addresses. They also speculated that other wallet developers may have independently made the same mistake as Trust Wallet by using the Trezor crypto iOS library from that period.

Trust Wallet responded to the allegations by emphasizing that the current version of the app does not contain the vulnerability. They maintained that the vulnerability was quickly patched in 2018, affected a small number of users, and those users were promptly notified and assisted with migrating to secure wallets. Trust Wallet denied claims that they had not adequately informed users and stated that only a third of the affected addresses were created using the flawed code.

SECBIT recommended that iOS users with Trust Wallet accounts created during the vulnerable period switch to new wallets and discontinue the use of the old ones to avoid further loss of funds.

Leave a Reply