Bitcoin
Bitcoin (BTC)
$64,752.00 -1.60415
Bitcoin price
Ethereum
Ethereum (ETH)
$3,122.00 -7.64346
Ethereum price
BNB
BNB (BNB)
$567.31 -2.13591
BNB price
Solana
Solana (SOL)
$168.38 -5.79464
Solana price
XRP
XRP (XRP)
$0.6010440 -3.50008
XRP price
Shiba Inu
Shiba Inu (SHIB)
$0.0000161 -6.10955
Shiba Inu price
Pepe
Pepe (PEPE)
$0.0000113 -7.93226
Pepe price
Bonk
Bonk (BONK)
$0.0000266 -6.78918
Bonk price
Bitcoin
Bitcoin (BTC)
$64,752.00 -1.60415
Bitcoin price
Ethereum
Ethereum (ETH)
$3,122.00 -7.64346
Ethereum price
BNB
BNB (BNB)
$567.31 -2.13591
BNB price
Solana
Solana (SOL)
$168.38 -5.79464
Solana price
XRP
XRP (XRP)
$0.6010440 -3.50008
XRP price
Shiba Inu
Shiba Inu (SHIB)
$0.0000161 -6.10955
Shiba Inu price
Pepe
Pepe (PEPE)
$0.0000113 -7.93226
Pepe price
Bonk
Bonk (BONK)
$0.0000266 -6.78918
Bonk price
Bitcoin
Bitcoin (BTC)
$64,752.00 -1.60415
Bitcoin price
Ethereum
Ethereum (ETH)
$3,122.00 -7.64346
Ethereum price
BNB
BNB (BNB)
$567.31 -2.13591
BNB price
Solana
Solana (SOL)
$168.38 -5.79464
Solana price
XRP
XRP (XRP)
$0.6010440 -3.50008
XRP price
Shiba Inu
Shiba Inu (SHIB)
$0.0000161 -6.10955
Shiba Inu price
Pepe
Pepe (PEPE)
$0.0000113 -7.93226
Pepe price
Bonk
Bonk (BONK)
$0.0000266 -6.78918
Bonk price
Bitcoin
Bitcoin (BTC)
$64,752.00 -1.60415
Bitcoin price
Ethereum
Ethereum (ETH)
$3,122.00 -7.64346
Ethereum price
BNB
BNB (BNB)
$567.31 -2.13591
BNB price
Solana
Solana (SOL)
$168.38 -5.79464
Solana price
XRP
XRP (XRP)
$0.6010440 -3.50008
XRP price
Shiba Inu
Shiba Inu (SHIB)
$0.0000161 -6.10955
Shiba Inu price
Pepe
Pepe (PEPE)
$0.0000113 -7.93226
Pepe price
Bonk
Bonk (BONK)
$0.0000266 -6.78918
Bonk price

Unciphered discovers $1b vulnerability in BitcoinJS-built crypto wallets

unciphered-discovers-1b-vulnerability-in-bitcoinjs-built-crypto-wallets
Edited by
News
Unciphered discovers $1b vulnerability in BitcoinJS-built crypto wallets

A crypto recovery company, Unciphered, has discovered a significant vulnerability in BitcoinJS library.

A billion-dollar-worth vulnerability in old Bitcoin (BTC) wallets generated with BitcoinJS library was exposed on Nov. 14. Crypto recovery firm Unciphered said it had learned that the popular JavaScript library did not always generate private keys random enough.

As reported by The Washington Post, the vulnerability called Randstorm was prevalent among crypto wallets generated between 2011 and 2016. While no specific details on the bug have been released, the report says the BitcoinJS library was not generating private keys for crypto wallets properly. The random number generator was insufficient, leaving nearly $1 billion worth of crypto exposed for a hack.

“BitcoinJS is terribly broken up till March 2014. Anyone directly using it is on the very high end of risk to attack.”

Unciphered Co-Founder Eric Michaud

BitcoinJS developer Stefan Thomas confirmed the vulnerability in a commentary to The Post. He had developed the software as a hobby, taking the major part of the code from a source code published on Stanford University’s website.

“Instead, I was obsessed about making sure that I did not make any mistakes in my own code. I’m sorry to anyone affected by this bug.”

BitcoinJS developer Stefan Thomas

According to The Post, the BitcoinJS library was used by many crypto websites such as Blockchain.com (formerly Blockchain.info), Dogechain.info, Block.io, and others. However, Blockchain.com is said to have fixed the issue, adding more randomness to the random number generator.

The BitcoinJS vulnerability appears to be not entirely new. In 2018, David Gerard, a Unix system expert based in the U.K., previously revealed that he had discovered discussion threads on the Bitcointalk forum as early as 2013 on this particular issue. Back then, some web-based Bitcoin wallets used the SecureRandom() function to generate private keys.

According to Gerard, the function generates cryptographic keys that are less than 48 bits of entropy regardless of the entropy level of the seed. The JavaScript function then runs the alphanumeric key through the obsolete RC4 algorithm, which is generally considered predictable. The predictability makes the private key vulnerable to brute-force hacking.