XACT Wallet Security Analysis

TL;DR

  • XACT SDK V1 is sending private keys over encrypted communications (HTTPS/SSL) to their API server to execute transactions.
  • There is no evidence of XACT wallet private keys being stolen or exposed.
  • Private Keys are not exposed except to the API Server and no vulnerability was exploited to anyones knowledge.
  • There is a vulnerability that if a hacker broke into the XACT API server, they could log these requests and the keys to use them maliciously
  • XACT has put security measures in place on the API server to mitigate this risk: SSH Sign in keys for only 2 users, the founders and IP restricting access to these SSH keys to the server.
  • XACT is updating their API to V2 where all transactions are done on device and no keys are sent to API server.
  • XACT mobile applications have stopped using this SDK V1 and sending private keys to server around 3pm EST Dec 23rd.

FULL REPORT

Claim:

XACT wallet is passing the wallets private keys over the web in HTTPS to sign transactions that are executed through their SDK and executing calls on their server instead of device.

Confirmations:

XACT has released a public statement describing this is true and this is a vulnerability in their SDK V.1. Below is a snippet where they describe the issue in their statement and explain how it was engineered:

I have also confirmed these posts on the device are sending private keys from proxy sensing on my personal iOS device using the XACT iOS application.

UPDATE:

I have confirmed XACT mobile applications no longer use SDK V1 or send private keys as of testing 3:10PM EST Dec 23rd

Malicious Activity:

There is no evidence of an exploit being used by a hacker to gain access to this server or a hacker getting the information being transmitted to this server. HTTPS was used to convey calls and was encrypted in its movement from wallet to server. The keys were received on the server through these encrypted communications to process the transaction and then the keys were thrown away, not stored on the server.

Possible Exploits:

If a malicious actor gained access to the main API server, they could have installed a logger to keep track of the posts to the server and saved the keys of transactions being made. There is no evidence or accusation this has taken place. This is only the known vulnerability being described.

Server Security:

XACT API server uses SSH keys that are restricted by IP address to gain access to the server. Only the founders have access to these keys.

Open Vulnerabilities:

The applications in the stores stopped using this SDK V1 around 3pm EST Dec 23rd. The private keys are no longer being sent as the updates are taking place to replace the application.

References:

XACT Twitter Statement: https://twitter.com/WalletXact/status/1473864172458819585

POST sensing tests:

--

--

--

Turtle Moon is a company creating tools and infrastructure for the Hedera NFT community. HGraph Punks is an NFT project being created by the same team.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Say Hello to RealBig Airdrop 2 Community Champions

Introducing Supply Chain Goat

{UPDATE} Mount Burnmore Hack Free Resources Generator

The Final Results of Hotbit Global Video Trailer Competition

Stay Up-to-Date with Avakus’s Social Links and Whitepaper

Making two-factor authentication more user-friendly through trusted devices

Finding my first bug : Account Takeover

{UPDATE} Floors Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Turtle Moon

Turtle Moon

Turtle Moon is a company creating tools and infrastructure for the Hedera NFT community. HGraph Punks is an NFT project being created by the same team.

More from Medium

STO vs. ICO: the core differences you need to know about

Metaplace <> Apeswap Partnship

FEES SYSTEM

End Titles for 2021: Key Highlights