MyNearWallet Security Statement

MyNearWallet Security

Concerning this tweet about NEAR wallet security

Hacxyk Tweet about NEAR

Key points

• We removed the Email/Sms recovery methods as we deemed them not secure enough. MNW Team priority is your security
• Only those who actually used the Email/SMS recovery methods might be affected. If you enabled these methods but never used them — you are safe.
• To make sure our users are safe, we will implement the possibility to update keys on MNW
• MyNearWallet V2 security system is protected from these vulnerabilities, a mandatory 2FA will prevent malicious attackers from stealing your keys
• MNW is considering adding this functionality in the current wallet version (V1)
• More on the issue in the NEAR Protocol blog

Action Points for the NEAR Community and Wallet users

1. To reiterate: Only those who actually used Email/SMS methods might be affected. If you enabled these methods but never used them — you are safe.
2. If you are using Seed Phrase — you are safe
3. If you are using Ledger — you are safe
4. If you used the Email/SMS recovery methods — all you have to do is disable them.
5. NEAR supports rotating keys meaning users don’t need to transfer assets and can just remove non-secure recovery methods and replace them with seed recovery or a hardware wallet.
6. You can do it by following these steps: Account >> Check if you have Seed Phrase enabled and if you can import your account using it >> Create a Seed Phrase if you don’t have one >> click Disable on email

Illia’s (NEAR Protocol Co-founder) Tweet on changing the recovery method

MyNearWallet Security Updates

The email recovery method, in our opinion, has never properly met our security standards, so, during the initial audit, the MNW team decided to remove it from MyNearWallet.

Your safety is the top priority of the MNW team!

We want to make sure our users are absolutely safe, and that is why the MNW team is working on implementing a new feature that will allow to update keys. The key storage system in the MNW V2 will be protected from possible leaks. A mandatory 2FA will protect the keys from attackers. Given the current situation and community requests, we see the need to add this feature to the current interface.

Situation Overview

Wallet.near.org users who used email/sms as recovery methods are in the risk zone. That’s why we removed email backups, as potentially dangerous.

We strongly recommend that the users with email/sms recovery methods disable them and create a seed phrase — the most secure method, or another good option is to connect Ledger — for those who use cold wallets.

MyNearWallet Plans

• As mentioned above, we removed email/sms having decided that these methods do not meet our security standards
• We plan to release a new recovery method, both user-friendly and highly secure (more about it below)
• For now, we advise you to use the seed phrase or connect via Ledger. NB: if you use Ledger or have not used email/sms as recovery methods, you are safe!
• We are working on developing a new feature that will allow to update keys. We decided to introduce it based on current events in order to protect users as much as possible (no ETA for it yet). This is an important security feature that will be in the new version. But, given the situation and understanding the needs of the community, we are going to add it to the current interface.

New recovery method:

The MNW team is actively working on a new key storage system. It will be protected from such leaks. Initially, we planned to integrate it into the V2 of the web wallet, the ETA of which is autumn 2022. However we see the need to integrate it into the current interface.

Conclusion

Your safety is our priority, and we plan on introducing new security measures!

Keep calm, stay safe and follow crypto wallet hygiene rules!