A cryptocurrency and security researcher Harry Denley at MyCrypto.com has made an announcement on Medium, reporting that private keys generated on the website called WalletGenerator.com could potentially be malicious and vulnerable to hacking attacks.
Harry advises that if people had used private keys generated after August 17th 2018, then their keys might be vulnerable and could be vulnerable and the funds should be moved to a secure address immediately.
WalletGenerator is an open-source website that generates paper wallets for different cryptocurrencies. The code for the wallet generator can be found on GitHub. Although, the code is open-source and can be used by anyone, it has not been vulnerable, nor it is at this moment. The vulnerability was identified on the actual website, which could be a result of a client-side bug.
Private keys are not vulnerable at the moment, but malicious behaviour could be reintroduced, so it is better to protect your funds and move the funds to other wallet.
The researcher has said:
“Approaching from a different angle, we then used the “Bulk Wallet” generator to generate 1,000 keys. In the non-malicious, GitHub version, we are given 1,000 unique keys, as expected.
However, using WalletGenerator.net at various times between May 18, 2019 — May 23, 2019, we would only get 120 unique keys per session. Refreshing our browser, switching VPN locations, or having a different party perform the same test would result in a different set of 120 keys being generated.”
The researcher has also pointed out the suspicions about the weird image download request during the wallet generation process. Each time the wallet is generated for a specific cryptocurrency, the image of the coin should be downloaded to the browser and the requests should not be sent when the HTML page is downloaded again. After further investigation, the team has found that image data is used to seed the random number generation function.
The team has also investigated image load, by changing VPN addresses from different geographical locations in order to see how the server would respond.
“This led us to a conclusion that these images are served to a deterministic percentage of the visitors, likely based on the IP.
The bitcoin.png with the hash
479...c59and a file size of 16K is the unmodified
bitcoin.pngicon. The other hashes and file with a file size of 156K are modified in some way and likely stored on the server in order to re-generate the keypairs at a later date and steal funds.”
The image sizes were produced differently to different users, based on their IP addresses. The images can be malicious because when a specific hash code is attached to the image, it would generate the same 120 keys. Only when the VPN and browsers are changed, the image would change and the new set of keys becomes generated again.
The team from MyCrypto is still scratching their heads about whether the image and the website can be malicious and what data is added to the image. Also, the authenticity and transparency of the WalletGenerator still remains unknown, since there website owner is still unknown.