Summary

A bug in Testfairy that affects only mobile nightly releases has been discovered that puts the security of user’s private keys at risk. If users have real funds in a nightly release, we strongly recommend sending them to a new account on the stable version of Status.

Product affected

Status mobile beta nightly builds for testing. This does NOT impact users who installed via the Play Store or TestFlight (iOS beta testing program), unless you used your nightly recovery phrase from nightly in the stable version of the app.

Am I affected?

  • You installed Status mobile app via the nightly builds.
  • You use the same recovery phrase across your mobile device installed via nightly AND installed via Playstore and TestFlight
  • You use the same recovery phrase across your mobile device installed via a nightly and Status Desktop.

Once again, this will NOT impact you if you have only installed via the Play Store or TestFlight (iOS beta testing program)

Mitigation

We recommend all testers and users of the nightly builds should create a new account and transfer funds into the new account using the following steps:

  • First, have access to your recovery phrase, either from a previous backup or by backing up in the app
  • Delete Status from the device
  • Download a release build of Status from Testflight or the Play Store
  • Create a new account, and note the new wallet address
  • Logout, then recover the old account. Go to the wallet tab, and tap “send transaction”
  • Enter the new wallet address into the “choose recipient” field using “enter recipient address” option.
  • If you have any tokens then transfer these one at a time
  • Lastly, transfer any ETH to the new wallet address (transfer ETH last as you will need ETH to pay for GAS)
  • Log out of the old account, and login to the new account

Description

Nightly builds are binaries of the Status application compiled at the end of each day of development to provide more immediate feedback. These differ from our beta release builds (which are uploaded to Google Play and TestFlight) in that they’re non-stable and used primarily to help our testing and development teams quickly identify bugs, crashes, and user reported issues.

We have been using a testing tool called TestFairy in our nightly builds. Testfairy records screenshots and logs of user sessions, and stores this information in secure central servers operated by TestFairy. We use this service to quickly identify issues within our nightly testing builds, and accelerate the pace of development.

Sensitive information including passwords and recovery phrases were meant to be obscured and remain only on the users device, however a bug led to the recording of this information. Details of the bug and solution can be found here.

Note: testers of nightly builds are prompted with this message upon install:

You are using an app installed from a nightly build. If you're connected to WiFi, your interactions with the app will be saved as video and logs. These recordings do not save your passwords. They are used by our development team to investigate possible issues and only occur if the app is install from a nightly build.

Although only in nightly builds, ensuring users have full control over their sensitive information and private keys is paramount to the premise of Status, and this bug constitutes a breach of our security guarantees.

Takeaways

At the time of writing the bug hasn't been exploited. We have taken the following steps to ensure anything like this never happens again:

  1. Upon its discovery we have removed TestFairy so it is no longer in our codebase.
  2. All recordings have been deleted from the TestFairy servers. Nightlies from 10/17 no long have TestFairy.
  3. We have since began a full review of all of our usage of third-party services, with the goal of eliminating as many as possible. We have already removed Instabug from our nightly and our next stable build (0.9.30) as well.
  4. We have started to implement a Post-Mortem process, and will be creating one for this specific incident to be shared in our Security category in our Discuss site.
  5. Here is the post-mortem draft and the live notes of the team meeting

See the full post-mortem of this event linked here.