Privacy-leak bug discovered in Nighthawk and ECC wallets

Nighthawk Wallet iOS and ECC Reference Wallet iOS users should upgrade to the latest versions in order to remediate a security vulnerability. No other wallets are affected by this bug, and remediation steps are outlined below.

Vulnerability details

In buggy versions of the wallets, when a user opted to include their wallet’s address in an outgoing memo field using the “Reply-To” feature, the wallet would mistakenly include the wallet’s secret viewing key rather than the wallet’s address. If you use the Nighthawk Wallet or the ECC Reference Wallet for iOS, you can determine if you were affected by examining each of your wallet’s outgoing transaction memo fields and looking for any “Reply-To” components that begin with “zxview”. A field beginning with “zxview” indicates that your wallet’s viewing key was included in the memo rather than the wallet’s address.

Remediation steps

All users should immediately upgrade to the latest version of the wallet software. If you were affected by the bug, i.e., one or more of your outgoing “Reply-To”’s begins with “zxview”, then the recipients of those memos will be able to see your wallet’s transaction history, including any memo field contents. Due to the permanent nature of information stored on the blockchain, it is not possible to revoke access to that information.

To prevent unintentional viewing key recipients from seeing any future transaction details, you must upgrade your wallet to the latest software version, create a new wallet, and migrate your funds to the new wallet. Please back up your seed phrase prior to attempting this to reduce the risk of accidentally losing funds in the process.

Affected versions

The bug existed in the ECC iOS Reference Wallet 0.3.7-105 codebase from May 6, 2021 to today. The commit containing the fix is available here and in versions of the ECC Reference Wallet 0.5.0-120 or later (for testnet) and 0.4.0-117 or later (for mainnet). The ECC iOS Reference Wallet has a very limited distribution, almost entirely limited to ECC employees.

Nighthawk was affected as of version 1.9, which was released on July 2, 2021. The bug has been fixed as of version of Nighthawk 1.21 which was released July 11, 2021.

We would like to thank the Nighthawk Wallet developers for discovering the bug and acting on it immediately.