PT-2024-20010 · Binance+1 · Binance Trust Wallet+1
Outoflegend
+1
·
Published
2024-02-08
·
Updated
2024-02-23
·
CVE-2024-23660
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Binance Trust Wallet app for iOS version 0.0.4
Description
The Binance Trust Wallet app for iOS misuses the trezor-crypto library, generating mnemonic words that use the device time as the only entropy source. This has led to economic losses, as the issue has been exploited in the wild. An attacker can systematically generate mnemonics for each timestamp within an applicable timeframe and link them to specific wallet addresses to steal funds.
Recommendations
For version 0.0.4, consider disabling the use of the trezor-crypto library until a patch is available to prevent the generation of predictable mnemonic words.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Binance Trust Wallet
Trezor-Crypto