Privacy-leak bug found in Nighthawk and ECC wallets


Nighthawk Wallet iOS and ECC Reference Wallet iOS customers ought to improve to the newest variations with a purpose to remediate a safety vulnerability. No different wallets are affected by this bug, and remediation steps are outlined under.

Vulnerability particulars

In buggy variations of the wallets, when a person opted to incorporate their pockets’s deal with in an outgoing memo area utilizing the “Reply-To” characteristic, the pockets would mistakenly embody the pockets’s secret viewing key reasonably than the pockets’s deal with. If you utilize the Nighthawk Wallet or the ECC Reference Wallet for iOS, you may decide in the event you had been affected by inspecting every of your pockets’s outgoing transaction memo fields and in search of any “Reply-To” parts that start with “zxview”. A area starting with “zxview” signifies that your pockets’s viewing key was included within the memo reasonably than the pockets’s deal with.

Remediation steps

All customers ought to instantly improve to the newest model of the pockets software program. If you had been affected by the bug, i.e., a number of of your outgoing “Reply-To”’s begins with “zxview”, then the recipients of these memos will have the ability to see your pockets’s transaction historical past, together with any memo area contents. Due to the everlasting nature of knowledge saved on the blockchain, it’s not attainable to revoke entry to that info.

To stop unintentional viewing key recipients from seeing any future transaction particulars, you need to improve your pockets to the newest software program model, create a brand new pockets, and migrate your funds to the brand new pockets. Please again up your seed phrase previous to trying this to scale back the chance of unintentionally dropping funds within the course of.

Affected variations

The bug existed within the ECC iOS Reference Wallet 0.3.7-105 codebase from May 6, 2021 to as we speak. The commit containing the repair is accessible right here and in variations of the ECC Reference Wallet 0.5.0-120 or later (for testnet) and 0.4.0-117 or later (for mainnet). The ECC iOS Reference Wallet has a really restricted distribution, virtually totally restricted to ECC workers.

Nighthawk was affected as of model 1.9, which was launched on July 2, 2021. The bug has been fastened as of model of Nighthawk 1.21 which was launched July 11, 2021.

We want to thank the Nighthawk Wallet builders for locating the bug and appearing on it instantly.

You might also like