Cryptocurrency paper wallet website WalletGenerator.net has got serious vulnerability problems that allegedly caused the same key (private key/public key) pairs to be issued to multiple users. The researcher and a director of Security Harry Denley of MyCrypto announced through a blog post on May 24.
The post recommends in a disclosure that if cryptocurrency investors have used a private key generated on WalletGenerator.net after August 17, 2018, then it’s time to move the funds immediately to a secure address right away because of the strong vulnerability issue which is potentially malicious and can affect multiple users who are holding the same key pairs.
As per the information earlier in August 2018, a bad code has been run by the WalletGenerator.net which just now patched (modified) on May 23, 2019.
Vulnerability Issue With WalletGenerator.net
Denley further mentions that the team in the process of getting a solution about the malicious findings informed the site owner and in turn, they received a reaction that the suspected claims are not verified and asked them possibly they visited and investigated a phishing website. However, on midday, 23rd May 2019, a surprising email response caught by the team from the current site owner stating that “the code being served to the site was modified to remove the previously-added, malicious, code”. The changing tone and the remarks by the site owner made them bewildered against the activities happening on the website resulting to conclude if the server is insecure, compromised (by an external party) or the party (owner) is malicious. Almost two years back the project owner has also got changed, the post further mentioned.
Reportedly, The cryptocurrency paper wallet generator website is expected to deliver an open source, audited code which is also required to match the Github code.The researcher’s investigation process brought to light that the GitHub code is not matching with the live code being served via the WalletGenerator.net URL. Also, it is found that the WalletGenerator website code is having duping aspects which is extremely harmful to the cryptocurrency holders. It has also found that GitHub code isn’t malicious nor vulnerable including its past and present status, unlike the website.
Test By MyCrypto
To understand the difference between the two codes the team further researched by running MyCrypto’s tests between May 18–23. The attempt was to understand the reason for the different code generation and the pairing key status. To their surprise, they discovered less no. of unique keys which is only 120 in numbers, while deploying the website’s bulk generator to make 1,000 keys. On the contrary, the GitHub code produced 1,000 unique keys in return every time as compare with the live website code. The efforts were made several times to apprehend the situation including various factors like refreshing browser, changing VPN, or changing users. Nonetheless, every time while running the website bulk generator through live code only 120 unique keys came out instead of complete 1000 unique keys.
After explorations, Delley’s outlook on researching the live code is that the keys were not randomly generated which is supposed to be. Here on the live version of the WalletGenerator website, the keys were generated deterministically and not using the secure random function for taking input from the user’s browser instead of the live version of the website taking input from the coin image and performing an XHR request which is highly treacherous.
He also emphasized on that fact that proper randomness is compulsory to generate the key (private key/public key) pairings to function the paper wallets to be secure.
Delley further stated: During the key/address generation process, a super-random number is required to make a private key which turns into the public key. But if the super random no is always “5” then the same private key will generate every time. By relaying the fact of not using the super random “5” he concluded the paragraph.
Tags: Disclosure, Cryptocurrency, MyCrypto, Researcher, Discovers, Wallet Vulnerability, WalletGenerator.net, GitHub, Cryptocurrency Paper Wallet, Paper Wallet, Address, Private Key, Public Key, Multiple Users, Bad Code, Security, Random Function, XHR