Crypto Wallet Vulnerability Issued Same Private Keys to Multiple Users

By Daniel T. | May 29, 2019

The online, client-side crypto paper wallet maker WalletGenerator.net has reportedly experienced a malfunction caused by a faulty code, which gave away the same pairs of private keys to different users.

Harry Denley – a researcher at MyCrypto – published an analysis of the incident via his blog on May 24th. According to the post, the error code has been running since August last year and was not fixed until May 23, 2019. Denley analysis pointed out that, the current online version of the code – which is required to match the open-source August 2018 set – has stopped matching somewhere after that point, thus no longer generating crypto keys randomly.

In order to clarify the incident, MyCrypto has conducted a test, having the generator issuing the keys in bulk. The result came back raised some questions from the MyCrypto team.

“Approaching from a different angle, we then used the “Bulk Wallet” generator to generate 1,000 keys. In the non-malicious, GitHub version, we are given 1,000 unique keys, as expected. However, using WalletGenerator.net at various times between May 18, 2019 — May 23, 2019, we would only get 120 unique keys per session. Refreshing our browser, switching VPN locations, or having a different party perform the same test would result in a different set of 120 keys being generated.”

WalletGenerator has reportedly resolved the issue revealed by MyCrypto. However, they have questioned the authenticity of such allegations, as well as whether MyCrypto is a “phishing” site or not, since WalletGenerator has not been able to verify these allegations.

MyCrypto has advised WalletGenerator users, who had been using the page to generate pairing keys after August 2018, to instantly shift their assets to another wallet, and that they should cease their ongoing activities on WalletGenerator.

Recently, an unknown hacker has reportedly stolen 45,000 ETH by exploiting weaknesses in private keys, according to a report by Independent Security Evaluators on April 23.

Tags: , , , , ,