Computer Researcher Finds Wallet Vulnerability That Gave Same Key to Multiple Users

Published at: May 27, 2019

Online cryptocurrency paper wallet creator WalletGenerator.net previously ran on code that caused private key/public key pairs to be issued to multiple users. The vulnerability was described in an official blog post by security research Harry Denley of MyCrypto on May 24.

According to the post, the bad code was in effect by August 2018, and was only recently patched out as of May 23. The live code on the website is reportedly supposed to be open source and audited on GitHub, but there were differences detected between the two. After researching the live code, Denley concluded that the keys were deterministically generated on the live version of the website, not randomly.

In one of MyCrypto’s tests between May 18–23, they attempted to use the website’s bulk generator to make 1,000 keys. The GitHub version returned 1,000 unique keys, but the live code returned 120 keys. Running the bulk generator always reportedly returned 120 unique keys instead of 1,000 even when other factors were tweaked, including browser refreshes, VPN changes, or user changes.

Randomness is needed to generate the key pairings in order for the paper wallets to be secure. As the post puts it:

“ELI5: When generating a key, you take a super-random number, turn it into the private key, and turn that into the public key / address. However, if the ‘super-random' number is always ‘5,’ the private key that is generated will always be the same. This is why it’s so important that the super-random number is actually random…not ‘5.’”

WalletGenerator patched the determinism problem after MyCrypto reached out during the middle of its investigation. WalletGenerator purportedly responded afterward saying that the allegations could not be verified, and even asked the correspondent if MyCrypto was a “phishing website.”

MyCrypto added that users who generated keypairs after August 17, 2018 should immediately move their funds to a different wallet and recommended not to use WalletGenerator.net.

As previously reported by Cointelegraph, a so-called “blockchain bandit” made off with around 45,000 ether (ETH) by guessing weak private keys on the Ethereum blockchain.

Tags
Blockchain
Bitcoin
Ethereum
Cryptocurrencies
Private Keys
Related Posts
Australia's crypto ecosystem 2020: The spark for a DeFi explosion
For a country of 25 million people, Australia punches well above its weight both economically and in the world of blockchain. Australians have long been enthusiastic adopters of new technology, from cellphones to smart homes, so it’s little surprise they’ve embraced crypto too. Chainalysis ranks Australia 20th out of 154 countries surveyed this year for its "The 2020 Geography of Cryptocurrency Report," citing favorable regulation that legitimizes the technology as driving "steady growth in adoption." Australian crypto educator Alex Saunders, founder of Nuggets News, said the Australian crypto community encompasses everyone from hardcore Bitcoin (BTC) maximalists to well-known Ethereans and …
Adoption / Dec. 20, 2020
Game of Nodes — Who Will Win the Digital Throne?
The best thing about us humans is that, time and again, we come up with great ideas and new forms of technology that have the potential to change the world for the better. Yes, we go wrong at times and destroy things, wipe out entire nations… but let’s not get into that right now. The curtains on blockchain technology were raised back in 2008 in response to the global financial crisis caused by the central banks and government of the United States. It’s a fact — absolute power corrupts absolutely. Now, more than a decade later, the scene looks like …
Blockchain / Oct. 27, 2019
Ethereum white paper predicted DeFi but missed NFTs: Vitalik Buterin
Rounding up the last decade, Ethereum co-founder Vitalik Buterin revisited his predictions made over the years, showcasing a knack for being right about abstract ideas than on-production software development issues. Buterin started the Twitter thread by addressing his article dated Jul. 23, 2013 in which he highlighted Bitcoin's (BTC) key benefits — internationality and censorship resistance. Buterin foresaw Bitcoin’s potential in protecting the citizens’ buying power in countries such as Iran, Argentina, China and Africa. However, Buterin also noticed a rise in stablecoin adoption as he saw Argentinian businesses operating in Tether (USDT). He backed up his decade-old ideas around …
Adoption / Jan. 2, 2022
Germany outlines favorable tax guidelines, gains on BTC and ETH sold after a year tax-free
The Federal Ministry of Finance (BaFin) published a 24-page document on Tuesday outlining clear income tax rules for cryptocurrency and virtual assets. Tax practitioners, businesses and individual taxpayers now have clear direction on the tax requirements for acquiring, trading and selling cryptocurrencies. The key takeaway is that individuals who sell BTC or ETH more than 12 months after acquisition will not be liable for taxes on the sale if they realize a profit. Parliamentary State Secretary Katja Hessel also addressed questions around the long-term staking of cryptocurrencies: “For private individuals, the sale of purchased Bitcoin and Ether is tax-free after …
Technology / May 12, 2022
Employee quits after red flags at first crypto job, stays in blockchain for the tech
Crypto startups have a significant role to play in the development of the entire blockchain industry. However, while many business owners have big ideas that aim to change the world, some fail to invest to develop the most critical aspects of a business, resulting in employees quitting. After being hired by a crypto startup, Roland Guirdonan from Chad, Central Africa, thought he had lucky as he accepted his first job offer in the crypto world. He later realized that while it seemed like a dream job, it was more of a nightmare that he needed to run away from. In …
Blockchain / June 17, 2022