Potential Security Vulnerability of OneWallet v1.0.6 and v1.0.6.1

On November 18th around 7:30AM PST, some of our community members reported that their ONE tokens were transferred out of their OneWallet without their approval. After getting the notice, our team immediately started looking into the issue and we found that all the stolen tokens are transferred into the address one1qclwtjg85cx4kfcxj3t284p908knldvfwk53ps. It contains a total of 9 transactions which all happening around 5am-6am on November 18th. Here is the address detail and its transaction history.

Out of the 9 transactions (25,356,279 ONEs total) into the attacker’s address, we’ve matched 5 of them with 5 different real users whose ONE tokens (6,745,217 ONEs) are stolen. A common pattern from all of these users is that they all stored their tokens in the OneWallet. We immediately dug into the OneWallet codebase and found a potential security vulnerability related to the latest versions of v1.0.6 and v1.0.6.1. The issue is with the newly added feature to save users from having to repeatedly enter password for each transaction. It contains a potential security vulnerability where the user credential data is stored in Chrome storage which could be stolen if the user’s machine is hacked. We also checked the transactions of the attacker and concluded that it’s not an attack on our chain. Harmony blockchain is working securely as expected.

We’ve immediately rollbacked the feature and pushed a safe version of v1.0.7 (which is the same as the old and safe version of v1.0.5) to the Chrome Store. Unfortunately, it takes a few days for Chrome Store to review and update the new version. Before that, we would recommend all OneWallet users to download the safe version of v1.0.7 manually by:

1. Export your private keys from your current OneWallet unless you still have the original mnemonics for them.
2. Download and unzip the packaged file of OneWallet v1.0.7.
3. Remove the currently installed OneWallet from Chrome by right click on the OneWallet icon and select “Remove from Chrome…”
4. Install the unzipped v1.0.7 OneWallet package by clicking “More Tools” -> “Extensions” in the Chrome menu, enable Developer mode, click “Load unpacked” and select the downloaded package.
5. Import the exported private keys or mnemonics and specify a different password for the account.

We also recommend transferring your tokens to a new address created using the safe versions of OneWallet (v1.0.7) to prevent problems with the legacy data.

The security of our users’ fund is the highest priority and we are sincerely sorry about this incident. We are working closely with the affected users to prevent further damages. For other users who are also affected in this incident, please report your case in this form and we will contact you asap.