In June, NEAR Protocol, a Layer 1 blockchain, informed its customers that SMS and email data used as recovery options in its basic wallet service were compromised. According to a recent report from NEAR, the issue was fixed before any damage was done.
NEAR Protocol’s wallet solution at wallet.near.org enables users to add email addresses and phone numbers as recovery alternatives to their crypto wallet accounts. A system error revealed confidential information to a third party.
NEAR said that it could rapidly remedy the situation by removing the third party’s and its own workers’ access to the data, thus avoiding the breach from posing a danger to customer funds security or privacy.
The wallet team swiftly remedied the problem, scrubbed any sensitive data, and identified workers who may have access to this information.
The vulnerability was disclosed on June 6 by Hacxyk, a web3 security auditing business that was paid a $50,000 prize. However, the NEAR Protocol team had not recently shared the information.
Hacxyk said that NEAR’s third party was the analytics provider Mixpanel. Hacxyk linked the situation to the current Slope Wallet problem in which wallet information was inadvertently sent to a central server. It was stated that in the instance of NEAR, private keys might have also been compromised.
Back in June, we found a bug in @NEARProtocol wallet that was almost the same as the recent Solana wallet hack. When a Near wallet user chooses “email” as the seed phrase recovery method, the seed phrase is leaked to a third party site. https://t.co/gHWhmxE3Sm pic.twitter.com/MK31xUeAeL
— Hacxyk. (@Hacxyk) August 4, 2022
The nature is similar to the recent Solana Slope wallet attack. In summary, the seed phrases were inadvertently disclosed to the analytics provider Mixpanel when consumers selected email/SMS as the seed phrase recovery option. This indicates that the seed phrases of users are saved on Mixpanel’s server.
As a security precaution, the NEAR Protocol no longer permits account creation through email or SMS for account recovery. Users who had previously utilised email or SMS recovery methods with their NEAR wallet were encouraged to “rotate your keys” or add a hardware wallet like Ledger.
According to Hacxyk, the wallet account concept for NEAR wallets differs somewhat from Ethereum wallets. Multiple keysets with various permissions may be associated with a crypto account. By rotating private keys, NEAR instructs users to renounce possibly compromised keysets and add new ones in their place.