🚨 Ledger Donjon disclosed a critical flaw in Tangem’s Android app, where fake cards could pass as genuine by spoofing public keys and IDs.
The issue? Improper attestation checks. (Patched in v5.18.3).
nprofile1qqsw3znfr6vdnxrujezjrhlkqqjlvpcqx79ys7gcph9mkjjsy7zsgygpzfmhxue69uhk7enxvd5xz6tw9ec82cspz4mhxue69uhhyetvv9ujumt0wd68ytnsw43qqyznla (nprofile…znla) covers the bug, the fix, and its security implications in BR097.
BitcoinReview / Bitcoin.Review
npub1qd…pzclt
2025-06-21 00:56:28 UTC
Author Public Key
npub1qdcakl75gd7wv0nqmmwrz09ddm5tzl7xj8lq2gclng2qzd8up5yqjpzcltSeen on
wss://relay.damus.ioPublished at
2025-06-21 00:56:28 UTCEvent JSON
{
"id": "05838c18f19325dd688df722063704f7e0b15c6ba9b4123e06994cea7ff4e981",
"pubkey": "0371db7fd4437ce63e60dedc313cad6ee8b17fc691fe05231f9a140134fc0d08",
"created_at": 1750467388,
"kind": 1,
"tags": [
[
"p",
"e88a691e98d9987c964521dff60025f60700378a4879180dcbbb4a5027850411",
"wss://offchain.pub",
"mention"
]
],
"content": "🚨 Ledger Donjon disclosed a critical flaw in Tangem’s Android app, where fake cards could pass as genuine by spoofing public keys and IDs.\n\nThe issue? Improper attestation checks. (Patched in v5.18.3).\n\nnostr:nprofile1qqsw3znfr6vdnxrujezjrhlkqqjlvpcqx79ys7gcph9mkjjsy7zsgygpzfmhxue69uhk7enxvd5xz6tw9ec82cspz4mhxue69uhhyetvv9ujumt0wd68ytnsw43qqyznla covers the bug, the fix, and its security implications in BR097.\nhttps://blossom.primal.net/d476b3fd3d8d0a014d2899125e33c7fc3ad129ff3703680c5c4e04f208ae0bb5.mp4",
"sig": "603926782824c84ed5a5ccb0ec4885382c2c1558f0a5236450cfabc21405db9002191ca092161f935bfe8a72036aa97b5e3b38c1e98318cfdb9bcdd091c98124"
}