Security Notice: Chrome Extension Encryption Issue

A case where user seed phrases could be found unencrypted on disk has been fixed for Xverse Extension versions 0.11.5 and later

Story details

Topics

No items found.

Author(s)

Daniel Bowden

Published

The following does not impact Xverse iOS and Android app users, and only impacts a segment of Xverse Extension users.

Background

The Xverse team was made aware of an instance where a Secret Recovery Phrase used by wallets like Xverse was stored unencrypted on the local device under certain conditions.

We felt this violated the user expectations of our password feature, and could therefore put some users at risk. We have since implemented mitigations for these issues on Xverse Extension versions 0.11.5 and later. 

Xverse wallet chrome extension stores the wallet seed phrase in encrypted form only on the local device. A password must be entered in order to decrypt the seed phrase for use. This is the same for nearly all major hot wallets. The wallet also persists application state on the device in Chrome local storage. This application state data normally does not contain any private key information. In a recent update, our password encryption feature’s security was partially undermined by browser behavior. This caused the seed phrase to be written unencrypted to a local log file by Chrome during the onboarding flow.

Impact

The seed phrase never left the user’s device and was never exposed to any third-parties. Therefore the risk to users is minimal. The only way the seed phrase could be exposed is if the user’s computer has already been compromised by malware. 

If the following conditions apply to you, you may be at risk, and you should read below for next steps:

  • Your computer has pre-existing malware
  • Your computer was stolen or exposed to people you do not trust

If any of the above conditions apply to you, then your Secret Recovery Phrase may be accessible to someone with access to the computer your wallet is on, and you may want to consider migrating funds from those accounts to be safe. We have prepared a guide on how to migrate your accounts here.

This vulnerability could be exploited either by a person with physical access to your machine or by malware. However, if your device is compromised by malware, there are already many other attacks we cannot protect against (like keyloggers, direct memory access, and program control).

This does not affect Xverse mobile apps. There were no reported hacks or exploits and no users lost funds as a result of this issue.

Conclusion

After the team investigated the issue, we immediately released an update to the Chrome extension (Version 0.11.4) which prevented the seed phrase from being logged locally in its unencrypted state when the user creates or restores the wallet. Shortly after, another update (Version 0.11.5) was released which provides a way to erase any previously cached local logs to make sure that no traces of unencrypted seed phrases remain.

A few important things:

  1. Clear your cached data. In the latest version of the Chrome extension, users may receive a message to update wallet data storage to clear cached data. Users can opt to “do it later” in which case the notification will appear again in 10 minutes.
  2. It’s your responsibility to keep your computer secure. No wallet can keep itself safe if the system it runs on is compromised.
  3. Hardware wallet support will be coming very soon to Xverse, at which time we highly recommend you backup your most treasured assets offline.

Xverse wallet browser extension is fully open-source and undergoes periodic independent security audits. We’ve implemented mitigations for these issues so they will not occur again. Our team remains committed to the highest standards of engineering and security.

Share this article

No items found.