The recent wallet hacks on other platforms have brought to light potentially serious security issues connected to the use of common analytics tools in Web3. In light of those hacks, we are sharing a perspective on a recent experience involving similar tools.
On June 6th, 2022, the NEAR Wallet team received a bug report indicating that sensitive information had been shared with a third party. The issue was fixed promptly the same day.
While the team was aware of this threat, and careful to sanitize data collected by the third party service, a code change nevertheless resulted in the collection of sensitive data for some users who had used email or SMS recovery with their wallets. Thankfully, @Hacxyk caught this before us and submitted the finding to our security team on June 6th (for which they have earned a bounty). The wallet team immediately remediated the situation, scrubbed all sensitive data, and identified any personnel who could have had the ability to access this data.
To date, we have found no indicators of compromise related to the accidental collection of this data, nor do we have reason to believe this data persists anywhere.
Regardless, we no longer allow users to create accounts using email or SMS for account recovery. Despite having no evidence of compromise, we strongly recommend that users who have used email or SMS recovery options in the past rotate their keys. This can be accomplished by visiting wallet.nearpages.wpengine.com, either by enabling a Ledger device (your most secure option and highly recommended) or enabling passphrase security. After doing this, users should disable email or SMS recovery.
With the transition of the open source wallet codebase to the team at My NEAR Wallet, many improvements are in the works.
We remind our users that the security of wallet accounts is of utmost importance to us–and it doesn’t stop with us either. User choices and behavior also impact security. Please consider using a hardware device, like a Ledger, to secure your wallet. Use only trusted and secured devices when creating and accessing your wallet. Never give out your recovery phrase or private keys.
You can learn more about the future of wallet.nearpages.wpengine.com here:
blog/near-opens-the-door-to-more-wallets/
The MyNearWallet team is also actively improving the security of wallets as outlined here:
https://medium.com/mynearwallet-blog/mynearwallet-security-statement-fd24265d91f2
