We hope this text reaches you in time for the hearing. The safety of your assets was and remains our top priority. That’s why, for example, we always insisted our users to install the mobile version of Ever Surf — this app meets the highest security standards and we are sure about its reliability.
The Surf web version hosted at https://web.ever.surf was an experimental solution. And it was really helpful in the early stages: debot developers preferred to use it rather than the mobile version and new users could easily get started with Surf. Unfortunately, now the web version no longer meets our views of fast and secure applications.
We planned to increase the security level of Surf and launch a desktop version in the first quarter. As soon as we finish with a SURF token release, developing the token swap exchange, adding a new payment provider and integrating gift cards. But when we received an email from the Check Point Research team, we understood there is no time to lose.
Check Point Research conducted their own independent research about the security status of the Surf web version and found out its weakness. We followed this report, checked everything and ensured that the vulnerability exists. Our web version cannot provide a secure use of password-based KDF because of an inability to provide a unique salt such as device ID for that platform. In simple terms, that means there is a theoretical way to get access to your wallet and assets on it.
Therefore, we needed to take quick steps to eliminate it so as not to put our users at risk. It became clear that we cannot longer postpone the release of the Surf desktop app. Our basic idea was to wrap the existing web application into an Electron packager and pass a unique machineID inside in order to use its hash as a salt for the key derivation.
Thus we could save the familiar interface and everything you are used to in the web version. We didn’t want to ruin your user experience so you can still unlock the app with a short PIN instead of memorizing strong and heavy passwords. In the long run, desktop version gives options compared to the web version.
Around the end of April, Check Point Research will present their report to the public and then anyone will take advantage of the vulnerability and gain access to funds. So we decided to end support of the Surf web version.
Before that day, we ask you to download and install our desktop application because we will disable the web version. After installation, you will have to restore access to your assets using a seed phrase. If you didn’t save your seed phrase before, do it as soon as possible following this instruction.
Since we don’t collect any data, we don’t know how many people are currently using the web version. It is important for us to inform as many of them as possible so that no one’s assets are at risk. We will allow no one to steal your funds, but it is important to us you do not lose access to them yourself.
We want to thank again the Check Point Research team for their highly professional, clear and constructive report. Cheers guys, you rock!