PSA: Vulnerability found in OKX iOS app

[Potato Chips]

If you have the app, please update it or if you want an extra peace of mind, uninstall it in the mean time.

So couple of hours ago CertiK tweeted they found a vulnerability in the OKX iOS App:

🚨 Attention! We urge users of OKX wallets to update their iOS app to the latest version immediately. Earlier this month, we identified and reported a critical Remote Code Execution (RCE)  vulnerability in the OKX iOS App,  leading to potential compromise of sensitive data and crypto assets. The OKX team responded swiftly and issued an updated version today.

which was shortly followed by OKX:

Thanks @Certik for the note.

We've completed the relevant upgrade & this is no longer an issue. We have verified that this did not impact any customer assets.

The fix has been deployed to iOS version 6.45.0 & we recommend you update the app asap.

Fortunately, so far, I haven't seen any user reports about damages especially since CertiK mentioned they discovered it "earlier this month" indicating this could have been weeks ago and update plus announcement were only released today.

In any case, people who have the app on iOS are encouraged to update it or uninstall ASAP.

[1714558844]

1714558844

[1714558844]

1714558844

[1714558844]

1714558844

[1714558844]

1714558844

[1714558844]

1714558844

[1714558844]

1714558844

[Oshosondy]

Thanks for bringing this.

But if I should add, I do not like OKX on the app, but I am using Android. It is one of the slowest that I have seen. I have many exchange accounts but OKX Android app is the worst.

Although I like the exchange, but most especially on the laptop while using browser. It is still one of the best exchange. Android and browser nit affect, so I can continue to access the site.

[Upgrade00]

Yet another reason to not use centralized exchange as a wallet to store funds.

They are custodian and can have vulnerabilities you cannot help against, leading to loss of funds.

[Bitcoin_Arena]

In any case, people who have the app on iOS are encouraged to update it or uninstall ASAP.

They should make a forced update (app unusable unless if updated)

So how are certik able to recognize such a vulnerability if the app is not open source?

Yet another reason to not use centralized exchange as a wallet to store funds.

You can't avoid it if you are like a day trader or doing futures trading. The coins will still have to be in an exchange unless if you plan to withdraw and deposit everytime you want to trade

They are custodian and can have vulnerabilities you cannot help against, leading to loss of funds.

Most importantly, if they are not open source (at least for wallets)... unfortunately when it comes to serious spot day trading or futures. Centralize exchanges beat decentralized once in most cases, so users find themselves using this platforms every day regardless of the looming dangers.

[sheenshane]

This wallet seems new to my ears now, I didn't know this wallet before.
Based on what I've found upon searching, a lot of users on Reddit posted that this wallet I've mentioned was scammed.  So no wonder if they'll end up closing their wallet when they bankrupt soon.

Thank you for bringing up this topic here.
For those holders who have fund in that wallet might need to transfer them right now to another wallet that you have full control of.
We've already reputable non-custodial wallets like Electrum, there's no need to experiment with others.

[Darker45]

In any case, people who have the app on iOS are encouraged to update it or uninstall ASAP.

They should make a forced update (app unusable unless if updated)

Exactly! Considering that the vulnerability exposes users to high risks which include an attacker taking full control of the wallet and, therefore, stealing all funds, the app should have made inaccessible to those who haven't updated it yet. How many OKX iOS users regularly update themselves of the latest especially through Twitter?

I haven't read, though, of a single OKX iOS mobile app user who had his/her funds drained, but CertiK interestingly insists they have "hard evidence" that the vulnerability can result to precisely that.

This wallet seems new to my ears now, I didn't know this wallet before.
Based on what I've found upon searching, a lot of users on Reddit posted that this wallet I've mentioned was scammed.  So no wonder if they'll end up closing their wallet when they bankrupt soon.

Thank you for bringing up this topic here.
For those holders who have fund in that wallet might need to transfer them right now to another wallet that you have full control of.
We've already reputable non-custodial wallets like Electrum, there's no need to experiment with others.

This is just OKX's mobile app on iOS. OKX, of course, is the old OKEx which rebranded to OKX just last year. I don't know how OKX's mobile app is accused of being a scam or of going bankrupt soon, but the brand has been operating quite well for years, easily one of the most trusted crypto exchanges. Of course, centralized exchanges can't be trusted, but that's another story.

[Yamane_Keto]

🚨 Attention! We urge users of OKX wallets to update their iOS app to the latest version immediately. Earlier this month, we identified and reported a critical Remote Code Execution (RCE)  vulnerability in the OKX iOS App,  leading to potential compromise of sensitive data and crypto assets. The OKX team responded swiftly and issued an updated version today.

I did not find any details regarding the potential compromise of sensitive data and crypto assets. Does this mean that the application’s permissions to access personal files and Keyboard are sent to an external server? Is this related to the application’s data or is it able to access the private key of other wallets on the device?

[rat03gopoh]

It has not been specifically explained in what direction the vulnerability is at risk. Afaik, OKEx combines their web3 wallet (self-custody) and exchange software in one app with separate tabs and different access methods.
I'm also not an iOS user, from my experience using the app over the last few months, update requests are more frequent than other platform wallets I've used.

[Potato Chips]

So how are certik able to recognize such a vulnerability if the app is not open source?

Did a quick a lookup and it appears OKX were partners with CertiK for some stuff, see: https://www.globenewswire.com/news-release/2023/06/27/2694925/0/en/Flash-News-OKX-Wallet-and-CertiK-Extend-Partnership-to-Validate-BRC-20-Token-Contracts.html

so perhaps they have also taken a look of some parts of the app and noticed something's up.

I did not find any details regarding the potential compromise of sensitive data and crypto assets. Does this mean that the application’s permissions to access personal files and Keyboard are sent to an external server? Is this related to the application’s data or is it able to access the private key of other wallets on the device?

They have provided very little information about this so who knows. My guess is both parties probably had some sort of aggreement on what to say.

[Yamane_Keto]

They have provided very little information about this so who knows. My guess is both parties probably had some sort of aggreement on what to say.

If this is true, it is better to delete the application quickly, as the personal data of customers has most likely been leaked, so you must be careful of any message from the support team, phishing links, or a social attack that knows some of your personal information.

[sunsilk]

I don't use iOS nor OKX. But I think in general if you're into these cexes, it's always been safe to just use their website on browsers than to download the app.

Because with one wrong update from whoever is on the back end or some hackers got it and they have forced all of their users to a single update. It can cost people's money.

Just saying about that but if you're finding it comfortable to use OKX's iOS app or any other exchange's app. Make sure that you always check updates from them.