XACT Wallet Security Analysis

TL;DR

FULL REPORT

Claim:

XACT wallet is passing the wallets private keys over the web in HTTPS to sign transactions that are executed through their SDK and executing calls on their server instead of device.

Confirmations:

XACT has released a public statement describing this is true and this is a vulnerability in their SDK V.1. Below is a snippet where they describe the issue in their statement and explain how it was engineered:

I have also confirmed these posts on the device are sending private keys from proxy sensing on my personal iOS device using the XACT iOS application.

UPDATE:

I have confirmed XACT mobile applications no longer use SDK V1 or send private keys as of testing 3:10PM EST Dec 23rd

Malicious Activity:

There is no evidence of an exploit being used by a hacker to gain access to this server or a hacker getting the information being transmitted to this server. HTTPS was used to convey calls and was encrypted in its movement from wallet to server. The keys were received on the server through these encrypted communications to process the transaction and then the keys were thrown away, not stored on the server.

Possible Exploits:

If a malicious actor gained access to the main API server, they could have installed a logger to keep track of the posts to the server and saved the keys of transactions being made. There is no evidence or accusation this has taken place. This is only the known vulnerability being described.

Server Security:

XACT API server uses SSH keys that are restricted by IP address to gain access to the server. Only the founders have access to these keys.

Open Vulnerabilities:

The applications in the stores stopped using this SDK V1 around 3pm EST Dec 23rd. The private keys are no longer being sent as the updates are taking place to replace the application.

References:

XACT Twitter Statement: https://twitter.com/WalletXact/status/1473864172458819585

POST sensing tests:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
HGraph Punks

Turtle Moon is a company creating tools and infrastructure for the Hedera NFT community. HGraph Punks is an NFT project being created by the same team.