November 20, 2023 at 04:36AM
Between 2011 and 2015, Bitcoin wallets are vulnerable to an exploit called Randstorm that allows unauthorized access. Approximately 1.4 million bitcoins may be affected. Customers can check if their wallets are at risk on www.keybleed.com. The vulnerability stems from the use of BitcoinJS, an open-source JavaScript package for cryptocurrency wallets. The issue was rediscovered by a cryptocurrency recovery company in January 2022. The flaw persists unless funds are moved to a new wallet.
Key takeaways from the meeting notes:
1. Bitcoin wallets created between 2011 and 2015 are vulnerable to a new exploit called Randstorm, which allows unauthorized access to wallets and passwords.
2. The vulnerability is caused by a combination of bugs, design decisions, and API changes that reduce the quality of random numbers produced by web browsers during that time period.
3. It is estimated that approximately 1.4 million bitcoins are at risk due to weak cryptographic keys in these vulnerable wallets.
4. Users can check if their wallets are vulnerable at www.keybleed[.]com.
5. The issue was first highlighted by a security researcher in 2018 and rediscovered by a cryptocurrency recovery company in January 2022.
6. The vulnerability is rooted in the use of BitcoinJS, an open-source JavaScript package for browser-based cryptocurrency wallets.
7. The use of the SecureRandom() function in the JSBN javascript library, coupled with cryptographic weaknesses in web browsers’ implementation of the Math.random() function, allowed for weak pseudorandom number generation.
8. The lack of entropy in the generation of private keys makes wallets susceptible to brute-force attacks. Wallets created before March 2012 are the easiest to crack.
9. This highlights the risks associated with open-source dependencies and vulnerabilities in foundational libraries, similar to the case of Apache Log4j in 2021.
10. The vulnerability remains in wallets created with the software, unless the funds are transferred to a new wallet created with updated software.