XACT Wallet Security Analysis

HGraph Punks
3 min readDec 23, 2021

--

TL;DR

  • XACT SDK V1 is sending private keys over encrypted communications (HTTPS/SSL) to their API server to execute transactions.
  • There is no evidence of XACT wallet private keys being stolen or exposed.
  • Private Keys are not exposed except to the API Server and no vulnerability was exploited to anyones knowledge.
  • There is a vulnerability that if a hacker broke into the XACT API server, they could log these requests and the keys to use them maliciously
  • XACT has put security measures in place on the API server to mitigate this risk: SSH Sign in keys for only 2 users, the founders and IP restricting access to these SSH keys to the server.
  • XACT is updating their API to V2 where all transactions are done on device and no keys are sent to API server.
  • XACT mobile applications have stopped using this SDK V1 and sending private keys to server around 3pm EST Dec 23rd.

FULL REPORT

Claim:

XACT wallet is passing the wallets private keys over the web in HTTPS to sign transactions that are executed through their SDK and executing calls on their server instead of device.

Confirmations:

XACT has released a public statement describing this is true and this is a vulnerability in their SDK V.1. Below is a snippet where they describe the issue in their statement and explain how it was engineered:

I have also confirmed these posts on the device are sending private keys from proxy sensing on my personal iOS device using the XACT iOS application.

UPDATE:

I have confirmed XACT mobile applications no longer use SDK V1 or send private keys as of testing 3:10PM EST Dec 23rd

Malicious Activity:

There is no evidence of an exploit being used by a hacker to gain access to this server or a hacker getting the information being transmitted to this server. HTTPS was used to convey calls and was encrypted in its movement from wallet to server. The keys were received on the server through these encrypted communications to process the transaction and then the keys were thrown away, not stored on the server.

Possible Exploits:

If a malicious actor gained access to the main API server, they could have installed a logger to keep track of the posts to the server and saved the keys of transactions being made. There is no evidence or accusation this has taken place. This is only the known vulnerability being described.

Server Security:

XACT API server uses SSH keys that are restricted by IP address to gain access to the server. Only the founders have access to these keys.

Open Vulnerabilities:

The applications in the stores stopped using this SDK V1 around 3pm EST Dec 23rd. The private keys are no longer being sent as the updates are taking place to replace the application.

References:

XACT Twitter Statement: https://twitter.com/WalletXact/status/1473864172458819585

POST sensing tests:

--

--

HGraph Punks

Turtle Moon is a company creating tools and infrastructure for the Hedera NFT community. HGraph Punks is an NFT project being created by the same team.