Bitcoin News and Finance A Major Vulnerability Found in Early Crypto Wallet Software Risks Billions in Assets Skip to main content

A Major Vulnerability Found in Early Crypto Wallet Software Risks Billions in Assets

A Major Vulnerability Found in Early Crypto Wallet Software Risks Billions in Assets

A critical vulnerability in early cryptocurrency wallets, identified by cybersecurity startup Unciphered, threatens billions of dollars in digital assets. Originating from a flaw in the BitcoinJS software used for wallet generation between 2011 and 2015, this issue exposes wallets to potential exploitation. Millions of users are being urged to transfer their assets to wallets generated with updated, secure software.

Report Shows Early Crypto Wallets Exposed to Billion-Dollar Vulnerability

Unciphered‘s exhaustive 22-month investigation has unearthed a significant flaw in BitcoinJS, a widely used browser-based cryptocurrency wallet generation tool. This flaw stems from the SecureRandom function in the JSBN javascript library, compounded by weaknesses in major browsers’ Math.random implementations. This vulnerability, affecting wallets created from 2011 to 2015, makes them susceptible to attacks, with earlier wallets being more vulnerable.

Unciphered disclosed that it has coordinated with various entities to alert millions of users about this vulnerability. For individuals with assets in affected wallets, immediate action is recommended: transferring assets to newly generated wallets using reliable software. This proactive step is crucial for safeguarding digital assets against potential exploitation.

The vulnerability first surfaced for the team during a project for a client locked out of a Blockchain.com bitcoin wallet. This led to the rediscovery of a potential issue in BitcoinJS-generated wallets from 2011-2015. The implication is staggering, potentially affecting millions of cryptocurrency wallets generated during this period, with a significant value of assets at risk.

The vulnerability arises from the way BitcoinJS, a Javascript implementation of Bitcoin, used the JSBN library’s SecureRandom function. This function’s deficiency, particularly in its entropy collection and PRNG (pseudo-random number generator), creates a situation where key material could potentially be recovered by an attacker. The SecureRandom function’s failure to effectively utilize browser cryptographic functions compounded this issue, relying instead on weaker RNG methods.

This situation is critical because bitcoin private keys, requiring 256 bits of entropy, were generated with less entropy than needed. The varied impact of this vulnerability makes some wallets more susceptible to attacks than others. However, certain mitigation measures, like incorporating additional entropy sources, have been implemented over time, reducing the risk for newer wallets.

The vulnerability extends beyond bitcoin, potentially affecting dogecoin, litecoin, and zcash-based wallets. Various wallet services and projects that derived their code from BitcoinJS, including popular ones like Dogechain.info and Blockchain.info, might also be impacted. This highlights the widespread implications of the vulnerability across multiple cryptocurrencies.

Unciphered’s researchers detail that historically, third-party library dependencies have often led to vulnerabilities in software development. Similar issues have been seen in other projects, such as OpenSSL on Debian platforms. The current situation with BitcoinJS and its ecosystem exemplifies this ongoing risk in software development, especially when it comes to securing financial assets and sensitive information.

What do you think about the bug Unciphered discovered? Share your thoughts and opinions about this subject in the comments section below.

Comments

Popular posts from this blog

Custodial Lightning Network Service Attack Discovered by LN ‘Newbie’ — Hacker Strikes 6 LN Custodians

On September 18, a Redditor posted to the r/bitcoin forum and explained how he discovered a way to “attack [the] lightning Network’s custodial services.” The Reddit account dubbed “Reckless Satoshi” wanted to figure out if a “discrepancy between real routing fees and service’s transaction fee can be exploited for a profit.” The researcher disclosed that he wanted to see how large the damage could be and said “it is bad.” 6 Lightning Network Custodial Services Attacked, Researcher Discloses Findings to Offenders Prior to Public Disclosure A Redditor called Reckless Satoshi published a disclosure post on r/bitcoin this past Saturday and disclosed how he had found a vulnerability with routing fees and some of the Lightning Network’s custodial services. The research attack was done in good faith and after it was complete he disclosed the bugs to the offending services before publishing his findings. Reckless Satoshi used the Lightning Network (LN) attack on six different services incl...

Axie Infinity Down 40% Since Last Week’s Price High, Protocol Revenue Outshines Competitors

Last week, the game token leveraged within the Axie Infinity gaming universe skyrocketed to all-time highs, while other crypto markets remained extremely lackluster. During the last seven days, Axie Infinity’s platform token has dropped significantly in value shedding more than 12%. Meanwhile, the game platform’s smooth love potion token has slid over 8% over the last 24 hours. Axie Infinity Down More Than 40% Since All-Time High Not too long ago, the axie infinity (AXS) token was a topical conversation because it reached an all-time high on July 15. At the time, AXS managed to capture $28.93 per unit and since then it has shed 12.8% during the last seven days. The axie infinity (AXS) token is used within the blockchain-based game that involves battles between token-based creatures called “Axies.” AXS is used for the game’s governance system as well as other actions within the game. At the time of writing axie infinity (AXS) is exchanging hands for $16.70 per coin. AXS/USD on Ju...

Play-to-Earn Game From Polker (PKR) Exchange Listing – Endorsed by Akon

The Play-to-Earn NFT based Polker.Game ‘s native token $PKR has been officially listed on the popular centralized exchange BitMart. Polker.game has been in the spotlight recently as Akon, the American R&B superstar and record producer gave his official endorsement of polker stating that the “game is revolutionary” and that Polker is “hands down.. the best play to earn, NFT game in the space.”. With the BitMart listing and celebrity endorsement from Akon, Polker is perfectly positioned to become a major player in the Play-to-Earn league. Watch Akon’s Video Here What is Play-to-Earn? Although not a new concept, play-to-earn has become a trending term due to the popularity of the NFT game AXIE infinity. In the past, previous play-to-earn games have also achieved success – however, thanks to the huge amount of development in the blockchain space in recent years the gaming experience is now massively improved. Play-to-Earn games are essentially free to play and open to anyone and...

China to Crack Down on Copyright Infringement Through NFTs

Authorities in China are going after creators of digital collectibles based on other people’s works of art, the use of which was not authorized. The government offensive is part of a campaign to combat online copyright infringement and piracy with the participation of several departments. Regulators in China Move to Strengthen Copyright Supervision of Online Platforms The National Copyright Administration of China (NCAC) has recently launched a campaign against copyright infringement and piracy on the internet, together with the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Internet Information Office of the People’s Republic. A major objective of the initiative is to improve copyright supervision of online businesses by investigating cases involving the sale and distribution of infringing products on short video, live broadcast and e-commerce platforms, and promptly dealing with infringing content, the agency announced in a press r...
Blogarama - Blog Directory