/arc-photo-coindesk/arc2-prod/public/LXF2COBSKBCNHNRE3WTK2BZ7GE.png)
-
U.S. cyber authorities are investigating a possible vulnerability in the Binance Trust Wallet iOS app.
-
The vulnerability would allow attackers to steal money by guessing security words known as mnemonics.
A potential vulnerability for the iOS version of “Binance Trust Wallet” has been listed by the National Institute of Standards and Technology (NIST), a U.S. agency that sets best practices and standards for technology and cyber security.
The vulnerability was added to the CVE database, which lists serious issues that could have, or have already, caused material damage or losses, on Feb. 8. It is being investigated by NIST to determine the real-world severity of the vulnerability.
The flaw has already been exploited in the wild, according to the database entry. In July 2023, it allowed attackers to guess security words and steal money from digital wallets because of the way it used the trezor-crypto library.
“An attacker can systematically generate mnemonics for each timestamp within an applicable timeframe, and link them to specific wallet addresses in order to steal funds from those wallets,” NIST wrote in its update.
Trust Wallet suffered multiple cyber incidents in 2023, generating over $4 million in losses. The wallet was acquired by Binance in 2018. Binance has since released its own Web3 wallet.
“Trust Wallet is now a separate legal entity that is not part of the Binance group and operates independently from Binance.com,” a Binance spokesperson said in an email.
Trust Wallet’s X (formerly Twitter) profile has not posted about the vulnerability.
UPDATE (Feb. 15, 10:54 UTC): Adds Binance statement in penultimate paragraph.
Edited by Sheldon Reback.
