WalletGenerator.net Issued the Same Key to Multiple Users
- The developers of the project say they could not verify claims of malicious code in their software
Popular crypto paper wallet maker WalletGenerator.net ran a set code with a serious vulnerability that may have affected its users, a security researcher said.
Revealed by Harry Denley, a researcher with MyCrypto.com, the vulnerability with the wallet generator's open source code available on Github issued identical public and Private Key Private Key Private keys or secret keys are defined as a string of characters used with an algorithm to both encrypt and decrypt code. The primary application of this alphanumeric key is designed to send or access cryptocurrency securely.As its name suggests, secret keys are only shared with the key’s generator, helping provide a layer of security against hackings or theft.Private keys are stored in digital wallets. When a cryptocurrency transaction is initiated, the wallet generates a digital signature usi Private keys or secret keys are defined as a string of characters used with an algorithm to both encrypt and decrypt code. The primary application of this alphanumeric key is designed to send or access cryptocurrency securely.As its name suggests, secret keys are only shared with the key’s generator, helping provide a layer of security against hackings or theft.Private keys are stored in digital wallets. When a cryptocurrency transaction is initiated, the wallet generates a digital signature usi Read this Term pairs to multiple users.
The malicious code was generating a similar set of keys since August 17 of last year. Though Denly did not find malicious behavior in the present set of codes, he is not certain when the previous version was replaced by the secure version.
To test and confirm the vulnerability, the researcher ran a rigorous test on the open source codes archived on Github.
“Approaching from a different angle, we then used the “Bulk Wallet” generator to generate 1,000 keys. In the non-malicious, GitHub version, we are given 1,000 unique keys, as expected,” he wrote on the May 24 Medium post.
“However, using WalletGenerator.net at various times between May 18, 2019 — May 23, 2019, we would only get 120 unique keys per session. Refreshing our browser, switching VPN locations, or having a different party perform the same test would result in a different set of 120 keys being generated.”
Randomness is the key
Vaguely explaining the importance of the process of key generation, Denley noted: “ELI5: When generating a key, you take a super-random number, turn it into the private key, and turn that into the public key/address. However, if the ‘super-random' number is always ‘5,’ the private key that is generated will always be the same. This is why it’s so important that the super-random number is actually random…not ‘5.”
Ignorant or suspicious
MyCrypto also reached out to the developers of WalletGenerator.net and informed them of the issue while it ran the tests. Although the developers patched the malicious code, according to Denley’s post, they responded that the claims could not be verified and asked if he was on a “Phishing Phishing Phishing is a form of cyber-attack in which fake websites, emails, and text messages are used to elicit personal data. The most common targets in this assault are passwords, private cryptocurrency keys, and credit card details.Phishers disguise themselves as reputable businesses and other types of entities. In certain instances, reputable government organizations or authorities are impersonated in order to collect this data.Because phishing relies on psychological manipulation rather than techno Phishing is a form of cyber-attack in which fake websites, emails, and text messages are used to elicit personal data. The most common targets in this assault are passwords, private cryptocurrency keys, and credit card details.Phishers disguise themselves as reputable businesses and other types of entities. In certain instances, reputable government organizations or authorities are impersonated in order to collect this data.Because phishing relies on psychological manipulation rather than techno Read this Term website.”
Popular crypto paper wallet maker WalletGenerator.net ran a set code with a serious vulnerability that may have affected its users, a security researcher said.
Revealed by Harry Denley, a researcher with MyCrypto.com, the vulnerability with the wallet generator's open source code available on Github issued identical public and Private Key Private Key Private keys or secret keys are defined as a string of characters used with an algorithm to both encrypt and decrypt code. The primary application of this alphanumeric key is designed to send or access cryptocurrency securely.As its name suggests, secret keys are only shared with the key’s generator, helping provide a layer of security against hackings or theft.Private keys are stored in digital wallets. When a cryptocurrency transaction is initiated, the wallet generates a digital signature usi Private keys or secret keys are defined as a string of characters used with an algorithm to both encrypt and decrypt code. The primary application of this alphanumeric key is designed to send or access cryptocurrency securely.As its name suggests, secret keys are only shared with the key’s generator, helping provide a layer of security against hackings or theft.Private keys are stored in digital wallets. When a cryptocurrency transaction is initiated, the wallet generates a digital signature usi Read this Term pairs to multiple users.
The malicious code was generating a similar set of keys since August 17 of last year. Though Denly did not find malicious behavior in the present set of codes, he is not certain when the previous version was replaced by the secure version.
To test and confirm the vulnerability, the researcher ran a rigorous test on the open source codes archived on Github.
“Approaching from a different angle, we then used the “Bulk Wallet” generator to generate 1,000 keys. In the non-malicious, GitHub version, we are given 1,000 unique keys, as expected,” he wrote on the May 24 Medium post.
“However, using WalletGenerator.net at various times between May 18, 2019 — May 23, 2019, we would only get 120 unique keys per session. Refreshing our browser, switching VPN locations, or having a different party perform the same test would result in a different set of 120 keys being generated.”
Randomness is the key
Vaguely explaining the importance of the process of key generation, Denley noted: “ELI5: When generating a key, you take a super-random number, turn it into the private key, and turn that into the public key/address. However, if the ‘super-random' number is always ‘5,’ the private key that is generated will always be the same. This is why it’s so important that the super-random number is actually random…not ‘5.”
Ignorant or suspicious
MyCrypto also reached out to the developers of WalletGenerator.net and informed them of the issue while it ran the tests. Although the developers patched the malicious code, according to Denley’s post, they responded that the claims could not be verified and asked if he was on a “Phishing Phishing Phishing is a form of cyber-attack in which fake websites, emails, and text messages are used to elicit personal data. The most common targets in this assault are passwords, private cryptocurrency keys, and credit card details.Phishers disguise themselves as reputable businesses and other types of entities. In certain instances, reputable government organizations or authorities are impersonated in order to collect this data.Because phishing relies on psychological manipulation rather than techno Phishing is a form of cyber-attack in which fake websites, emails, and text messages are used to elicit personal data. The most common targets in this assault are passwords, private cryptocurrency keys, and credit card details.Phishers disguise themselves as reputable businesses and other types of entities. In certain instances, reputable government organizations or authorities are impersonated in order to collect this data.Because phishing relies on psychological manipulation rather than techno Read this Term website.”