The crypto wallet Edge experienced a security breach, with the attacker stealing 2,000 private keys. On February 22, the team detailed the security incident in a blog post, claiming that it had discovered the vulnerability. The team has already released a patch to fix the problem.
Since then, the company has urged users to update to the latest version of Edge (v3.3.1), which is available on Google Play, App Store, and as a direct download from their website.
Edge discovered a vulnerability in the app that would allow private keys to be leaked. A user notified the team after they lost all of their Bitcoins as a result of an unauthorised transaction. The attacker only stole Bitcoin, leaving all other assets untouched.
The vulnerability compromised approximately 2000 private keys by sending them to Edge infrastructure due to the visibility of keys on the Edge logs server. According to Edge, this represents less than 0.01% of the total number of keys generated on the platform.
The attacker only had access to the Bitcoin wallet’s individual master private key. As a result, the user’s account was not accessed; rather, only the Bitcoin wallet’s private key was compromised.
Further investigation revealed that a number of actions could result in a vulnerability in private keys. The first was that if a user selected a few options under the buy and sell tabs, the device’s disc would be logged with the encrypted private key of the selected wallet.
The second issue was that if they used the upload logs feature, the logs would be sent to Edge servers. If the aforementioned buy and sell options were chosen, this would include the private key.
The total number of affected users accounts for 0.01% of all keys generated via Edge. The total amount stolen is estimated to be in the “low 5 figures in USD.”
The company confirmed to users that the Edge log servers were not compromised and that their funds were not lost.
A spot check of several dozen private keys show that many still have funds remaining. Through this, we ascertain that there has not been a wide sweeping compromise of Edge infrastructure which would have compromised a vast majority of funds on such keys.