If your crypto wallet was created before 2016, you should carefully study all the risks.
Bitcoin wallets created between 2011 and 2015 may be vulnerable to a new type of exploit called Randstorm. The exploit allows you to recover passwords and gain unauthorized access to a variety of wallets on different blockchain platforms.
As Unciphered stated in its report published last week, "Randstorm" is a term coined to describe a set of bugs, design decisions, and API changes that, when interacting with each other, collectively significantly reduce the quality of random numbers generated by web browsers of a particular era (2011-2015).
It is estimated that about 1.4 million bitcoins are held in wallets generated with potentially weak cryptographic keys. But such an astronomical sum can finance some innovative space program with dozens of launched rockets for many years.
Users can check whether their wallets are vulnerable through the KeyBleed service, also launched by Unciphered specialists.
The company said that it already identified this problem in January 2022, working for an unnamed client, although for the first time this vulnerability was publicly indicated by a researcher under the nickname "ketamine" back in 2018. Be that as it may, the specialists of Unciphered decided to announce the threat to crypto wallets as loudly as possible only now.
The vulnerability is mainly related to the use of BitcoinJS, an open JavaScript library for developing cryptocurrency wallets in the browser. In particular, the Randstorm exploit is due to the package's dependency on the SecureRandom() function in the JSBN library, as well as cryptographic flaws that existed at that time in the implementation of the Math.random() function in web browsers. BitcoinJS developers stopped using JSBN in March 2014.
As a result, the lack of entropy can be used to conduct brute-force attacks and restore private keys of wallets generated using the BitcoinJS library (or projects dependent on it). The easiest-to-hack wallets were created before March 2012.
The findings clearly demonstrate how vulnerabilities in such core libraries used in open projects can have cascading risks for the entire supply chain. A similar problem was observed with Apache Log4j at the end of 2021.
As noted by Unciphered, the security flaw was originally built into vulnerable wallets created using BitcoinJS, and it is impossible to fix it. The only way to protect your funds, if your wallet was created between 2011 and 2015, is to transfer all your funds to a new crypto wallet created using modern software.
Bitcoin wallets created between 2011 and 2015 may be vulnerable to a new type of exploit called Randstorm. The exploit allows you to recover passwords and gain unauthorized access to a variety of wallets on different blockchain platforms.
As Unciphered stated in its report published last week, "Randstorm" is a term coined to describe a set of bugs, design decisions, and API changes that, when interacting with each other, collectively significantly reduce the quality of random numbers generated by web browsers of a particular era (2011-2015).
It is estimated that about 1.4 million bitcoins are held in wallets generated with potentially weak cryptographic keys. But such an astronomical sum can finance some innovative space program with dozens of launched rockets for many years.
Users can check whether their wallets are vulnerable through the KeyBleed service, also launched by Unciphered specialists.
The company said that it already identified this problem in January 2022, working for an unnamed client, although for the first time this vulnerability was publicly indicated by a researcher under the nickname "ketamine" back in 2018. Be that as it may, the specialists of Unciphered decided to announce the threat to crypto wallets as loudly as possible only now.
The vulnerability is mainly related to the use of BitcoinJS, an open JavaScript library for developing cryptocurrency wallets in the browser. In particular, the Randstorm exploit is due to the package's dependency on the SecureRandom() function in the JSBN library, as well as cryptographic flaws that existed at that time in the implementation of the Math.random() function in web browsers. BitcoinJS developers stopped using JSBN in March 2014.
As a result, the lack of entropy can be used to conduct brute-force attacks and restore private keys of wallets generated using the BitcoinJS library (or projects dependent on it). The easiest-to-hack wallets were created before March 2012.
The findings clearly demonstrate how vulnerabilities in such core libraries used in open projects can have cascading risks for the entire supply chain. A similar problem was observed with Apache Log4j at the end of 2021.
As noted by Unciphered, the security flaw was originally built into vulnerable wallets created using BitcoinJS, and it is impossible to fix it. The only way to protect your funds, if your wallet was created between 2011 and 2015, is to transfer all your funds to a new crypto wallet created using modern software.
