Popular crypto paper wallet maker WalletGenerator.net ran a set code with a serious vulnerability that may have affected its users, a security researcher said.
Revealed by Harry Denley, a researcher with MyCrypto.com, the vulnerability with the wallet generator’s open source code available on Github issued identical public and private key pairs to multiple users.
Discover the Barcelona Trading Conference – A Top Tier Crypto Trading Event
The malicious code was generating a similar set of keys since August 17 of last year. Though Denly did not find malicious behavior in the present set of codes, he is not certain when the previous version was replaced by the secure version.
To test and confirm the vulnerability, the researcher ran a rigorous test on the open source codes archived on Github.
“Approaching from a different angle, we then used the “Bulk Wallet” generator to generate 1,000 keys. In the non-malicious, GitHub version, we are given 1,000 unique keys, as expected,” he wrote on the May 24 Medium post.
“However, using WalletGenerator.net at various times between May 18, 2019 — May 23, 2019, we would only get 120 unique keys per session. Refreshing our browser, switching VPN locations, or having a different party perform the same test would result in a different set of 120 keys being generated.”
Randomness is the key
Vaguely explaining the importance of the process of key generation, Denley noted: “ELI5: When generating a key, you take a super-random number, turn it into the private key, and turn that into the public key/address. However, if the ‘super-random’ number is always ‘5,’ the private key that is generated will always be the same. This is why it’s so important that the super-random number is actually random…not ‘5.”
Ignorant or suspicious
MyCrypto also reached out to the developers of WalletGenerator.net and informed them of the issue while it ran the tests. Although the developers patched the malicious code, according to Denley’s post, they responded that the claims could not be verified and asked if he was on a “phishing website.”