The issue in a few words (from the Tangem team):


The statement from the company: https://www.reddit.com/r/Tangem/comments/1hougo1/comment/m4jygh9/?context=3

Article: https://cointelegraph.com/news/tangem-security-vulnerability-fixed-private-key-leak

I thought you were using Foundation Passport. Or probably you have many of the hardware wallets.

There was a post about it on collectibles which I also posted on. I think I will prefer to use wallet on airgapped device instead. Some people might have lost their coins thinking hardware wallet are very safe.

OmegaStarScream thanks for making this understandable.

Nobody should be surprised when things like this happens to closed source hardware wallets and their crap app
I really don't understand why anyone would use tangem products when they already have great open source alternative called Satochip.
They are both in exact credit card format but users have much more freedom and choice with all Satochip products.

I will remind everyone to STOP using all hardware wallets that are not open source.

Who let their programmer add code which log seed phrase or other sensitive data? Anyway, looking at their blog post[1] makes it clear Tangem company trying to downplay this security vulnerability. They use term "Potential Vulnerability" which is wrong since people can reproduce the security vulnerability.

[1] https://tangem.com/en/blog/post/tangem-resolves-log-issue/

Nice catch. And as I have already said there is an option to see what you are sending to support and edit the message. Thus, those who sent them their log with SEED were careless people who preferred not to  take the trouble of  reading  what they are sending. I would not create a strained atmosphere relevant to Tangem.

Edit what exactly? You mean it just opens a notepad and lets you arbitrarily modify the log file?

Assuming there wasn't some sort of vulnerability like this in the first place, who would want to do that? Most people don't read log files. It's mainly a feature for the developers and its sent automatically without modification.

Tap three dots in the upper right corner of the app, tap contact support, It shows the content  of the message ^{which can be edited directly within app} plus app_logs.txt attached which can be deleted by pressing "x" at the attachment. Regarding app_logs.txt, I think  there  is a way to reach this file on my Android and analyze it . Should check this at my spare time.

UPD. Wasting no time, found the easy way how to look at app_logs.txt. At the top of message tap To field, tap Remove, isert into To-field  you own email address   and send to yourself app_logs.tx attached. ^shazam



Agreed, most people are careless.

Going to repost something I have posted here and reddit and github and other places over time.

So more or less quoting myself.


I can go on with dozens of other examples if you want.


So the code could have been reviewed. But people missed it.

If 1000s of people reviewing the above projects over years and years missed some (after the fact) totally obvious issues like these then a smaller company missing something like this is GOING TO HAPPEN.

Or to put it another way.

OPEN SOURCE IS NOT MORE SECURE. OPEN SOURCE ALLOWS PEOPLE TO SEE WHAT IS HAPPENING. AND POSSIBLY FIND MISTAKES THAT OTHERS HAVE MADE. BUT UNLESS THE PEOPLE LOOKING AT IT SEE THE MISTAKE AND REPORT IT THEN IT'S NO BETTER THEN CLOSED SOURCE.

Ending rant.

-Dave

For the longest time you could NOT get a seed from a Tangem card.
People kept freaking out about recovering it in case something happened to all their cards so Tangem gave in to them and allowed you to see your seed on your phone when you created your wallet.
Now the app has always loged a fair amount of data, none of it security compromising.

When they re-wrote the app to display your seed it was understandably logged for testing / debugging.

And then, someone screwed up and did not take the logging out when they pushed it to production.

So if you did send your logs out to them for support before they were overwritten they got a copy of your seed.

Which proves that people love to talk about open source but nobody reads / understands a lot of it even when they use it.

-Dave

Yes I worked with them on a project for creating special edition designed Satochip cards.
This was announced, posted publicly in bitcointalk forum, and I think most of the cards sold very quickly.
I stand by that Satochip is 10 times better than Tangem in every way.

This is NOT firmware and I was talking about that.
They app is super crap, and it's not important it if is claimed to be partially open source when it can't be compiled.
They are deceivers and amateurs, so anyone choosing to trust them is playing Russian roulette.