Author

Topic: [2023-11-14] If you created a wallet before 2016, your money may be at risk (Read 164 times)

legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
Thank you for this. I was too lazy to read all that text and was looking for the short version.  Cheesy

To be honest with you, I read until I reached the link where you can supposedly check the vulnerability of the wallet, and then I gave up when I saw what it was actually about - and if you look at what the OP has in his signature, it's a bit strange that he shares links that are classic collectors of personal data that can then be used for malicious purposes.

Yep, web based wallet code was said far too many times it's insecure. And far too many people didn't read or didn't care. I don't expect OP's wall of text will change anything in this.

Over the years, I've read a lot of cases where people's coins literally disappeared from exactly such wallets, and mostly it was about the blockchain.com page - and mostly the first conclusion was that someone became a victim of phishing or stored their seed incorrectly, but obviously there were vulnerabilities that someone managed to exploit.

I recently received a notification from one such online service that I created a little less than 10 years ago, warning me not to use that wallet anymore, but luckily I stopped using it a long time ago.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
Unbelievably large text wall to explain what could literally fit in two sentences. Online wallets were not secure 10 years ago, and they are not even today. Anyone who stores their private keys in such a way is only gambling with high odds of losing.

Thank you for this. I was too lazy to read all that text and was looking for the short version.  Cheesy

Yep, web based wallet code was said far too many times it's insecure. And far too many people didn't read or didn't care. I don't expect OP's wall of text will change anything in this.
legendary
Activity: 4256
Merit: 1313
legendary
Activity: 2814
Merit: 1192
Unbelievably large text wall to explain what could literally fit in two sentences. Online wallets were not secure 10 years ago, and they are not even today. Anyone who stores their private keys in such a way is only gambling with high odds of losing.

And what kind of website is it that supposedly checks whether a wallet is vulnerable or will become vulnerable in the future, and for this check it asks for information such as name and surname, e-mail and public key? Do not enter such information anywhere, it is only a threat to your privacy.

Exactly. They haven't found anything that people who, like the article says, were around before 2016 haven't known.

Quote
Millions more haven’t been told, often because their wallets were created at cryptocurrency websites that have gone out of business.

This used to be a big issue. I don't remember when exactly, but it was popular for people to make vanity addresses using these sites and you could have your own name in it, but a year or so later the coins begun to disappear and people came to a conclusion that the owner of the site was making an exit scam with all the people's money.

Bottom line, when someone makes an address for you, it's a scam.
legendary
Activity: 1554
Merit: 1021
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
Unbelievably large text wall to explain what could literally fit in two sentences. Online wallets were not secure 10 years ago, and they are not even today. Anyone who stores their private keys in such a way is only gambling with high odds of losing.

And what kind of website is it that supposedly checks whether a wallet is vulnerable or will become vulnerable in the future, and for this check it asks for information such as name and surname, e-mail and public key? Do not enter such information anywhere, it is only a threat to your privacy.
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
Blockchain.info has been a security hazard for years and I remember this "randomness" issue being reported on this very forum. I luckily shifted my coins from Blockchain.info before this vulnerability were discovered, so my coins are safe in a secure wallet.

It has also been an issue for me to get the 2FA notice in time, before it expires... just to get into the wallet, because the sending of the 2FA took ages. (A wallet should not give you too many hassles to login.... and Blockchain.info was one of them)  Roll Eyes
legendary
Activity: 1672
Merit: 1014
If you created a bitcoin wallet before 2016, your money may be at risk

A company that helps recover cryptocurrency discovered a software flaw putting as much as $1 billion at risk from hackers. Now it’s going public in hopes people will move their money before they get robbed.

By Joseph Menn
Updated November 14, 2023 at 1:30 p.m. EST|Published November 14, 2023 at 6:00 a.m. EST

SAN FRANCISCO — After a tech entrepreneur and investor lost his password for retrieving more than $600,000 in bitcoin and hired experts to break open the wallet where he kept it, they failed to help him. But in the process, they discovered a way to crack enough other software wallets to steal $1 billion or more.

On Tuesday, the team released information about how they did it. They hope it’s enough data that the owners of millions of wallets will realize they are at risk and move their money, but not so much data that criminals can figure out how to pull off what would be one of the largest heists of all time.

Their start-up, Unciphered, has worked for months to alert more than a million people that their wallets are at risk. Millions more haven’t been told, often because their wallets were created at cryptocurrency websites that have gone out of business.

The story of those wallets’ vulnerabilities underscores the enormous risk in experimental currencies, beyond their wild fluctuations in value and fast-changing regulations. Many wallets were created with code containing profound flaws, and the companies that used that code can disappear. Beyond that, it is a sobering reminder that underneath software infrastructure of all kinds, even ones explicitly dedicated to securing funds, are open-source programs that few or no people oversee.

“Open-source ages like milk. It will eventually go bad,” said Chris Wysopal, a co-founder of security company Veracode who advised Unciphered as it sorted through the problem.

The company shared its process and conclusions with The Washington Post before going public.

The risk of bad open-source code was laid bare in 2021 when it was discovered that Log4j, a ubiquitous tool used by software servicers that few consumers were even aware of, could be used to execute malicious code. The revelation panicked companies worldwide and made open-source security a top priority for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which is now pushing companies to map out all the programs they depend on.

“Every man-made technology contains flaws that originate within its creators,” Unciphered co-founder Eric Michaud said.

Stefan Thomas, the technologist who created the software used to create the wallets, told The Post that he had done so as a hobby and had taken the key part of the code from a program published on a Stanford University student’s page, not checking to see if it was sound.

“Instead, I was obsessed about making sure that I didn’t make any mistakes in my own code,” Thomas said. “I’m sorry to anyone affected by this bug.”

Unciphered is calling the flaw “Randstorm,” because it stems from wallet programs that created cryptographic keys that weren’t random enough. Instead of crafting electronic keys that were one in a trillion and therefore very hard for an outsider to forge, they made keys that were one in some number of thousands — a randomness factor easily hacked.

The person who set the ball in motion is investor Nick Sullivan, an early bitcoin believer who used the site Blockchain.info, since renamed Blockchain.com, to make a wallet in 2014. Not long after, he wiped his computer’s memory without realizing that he had not saved to his password manager the blob of letters and numbers that would give him access to his crypto account.

“It was a pretty frustrating set of circumstances,” Sullivan told The Post. At the time, he was out around $18,000. That amount is now worth more than $600,000 — enough to make it worthwhile for him to hire the hackers and National Security Agency veterans at Unciphered to try to recover it.

Unciphered, one of a handful of outfits dedicated to recovering trapped electronic funds for a fee, began searching for Sullivan’s money in January 2022.

It turned out that the information Sullivan had about how he had created the account wasn’t enough to let Unciphered’s experts crack the wallet. But in studying the problem, the Unciphered team uncovered a bigger issue: Thomas’s code, known as BitcoinJS, which was supposed to create wallets with random keys, didn’t always make them random enough.

Compounding the problem, Thomas’s BitcoinJS was used not only by Blockchain.info but also by many other sites from 2011 on, including the main source of wallets for the former joke currency dogecoin, Dogechain.info. An executive at that site’s owner, Block.io, did not respond to an email from The Post seeking comment.

“BitcoinJS is terribly broken up till March 2014,” Michaud said. “Anyone directly using it is on the very high end of risk to attack.”

Cryptographers discovered weaknesses in how most of the major browsers created randomness in 2014, and they improved afterward. Blockchain.info and some other sites also added more randomness, making wallets harder to crack. Unciphered has not found any wallets created after 2016 that are vulnerable because of weak randomness.

But that still leaves millions of wallets vulnerable.

The easiest to crack would be wallets made before March 2012, which hold about $100 million and could be hacked by a home computer user, Michaud said.

Another $50 billion worth of bitcoin is stored in wallets created between then and the end of 2015. Most of those are not vulnerable, but at least 2 percent of them are, for about another $500 million, Unciphered said. Then there are other currencies with wallet services that borrowed from BitcoinJS, including dogecoin and litecoin.

Discovering the vulnerability was only half the challenge. Unciphered still had to figure out how to tell millions of people to move their funds, without giving away the existence of a huge vulnerability.

Unfortunately, many of the crypto sites that had used the flawed program were out of the business, as was Thomas.

Unciphered legal adviser Stewart Baker, a former general counsel at the National Security Agency, trying to determine the right thing to do, even broached the idea in a column a year ago of having a “white knight” steal everything that was vulnerable to a hypothetical crypto flaw and hold onto it while sorting through who truly owned what.

He noted that a precedent of sorts had been established in 2021, when a hacker stole a whopping $600 million in virtual currency from lending platform Poly Network and returned it for a fee of $500,000 and a promise that he would not be prosecuted.

But no one wanted to risk prosecution or civil liability by stealing from many people at once, and in the end “what we decided to do,” Baker recalled, "was find the company that was in a position to fix or notify as many people as possible, in the hope we could get a lot of this fixed before the exact nature of the problem leaks.”

Eventually, Michaud realized that the biggest old user of the wallet program still around was the one Sullivan had used, Blockchain.com.

The first interaction between the two companies was fraught with suspicion. Each wanted the other side to sign a nondisclosure agreement, but neither would themselves.

“In crypto, you need to be pretty skeptical of people who call with something that sounds dramatic, because there are so many scammers,” Blockchain.com President Lane Kasselman recalled. “It was unclear who they were and what the scope of it was.”

But their references checked out, and Baker joined a group call to explain that the Unciphered hackers were well-meaning security whizzes, not extortionists. Blockchain.com agreed to help. It worked out a way to automatically update wallets of those who visited its site, changed its app, and sent out emails to the holders of more than 1.1 million affected wallets beginning Oct. 10, less than 2 percent of the 90 million wallets it has created.

Of course, many of those who were notified were suspicious too. One of them posted the notice in a chat for crypto enthusiasts and asked for guesses about what was going on. Security expert Dan Guido saw that and posted on X, and someone responded by pointing to a notice on Unciphered’s site saying that it would have something wallet-related to announce in the future.

Guido then asked the people at his security engineering company, Trail of Bits, to see what Unciphered might have been referring to. They figured out the issue in days, but they agreed to keep quiet at Unciphered’s request.

“They’ve been able to keep this under wraps for 20 months, which is insane, and that’s what’s required,” Guido said. "The ability for people to take advantage of it is extremely high.”

Consumers can check whether their wallets are vulnerable at www.keybleed.com.

Unfortunately, Sullivan’s wallet wasn’t among those that suffered from the security flaw — mainly because he created his wallet in 2014, after Blockchain.info had improved the randomness of its wallets. If the security had been worse, he would have been able to get his money back when Blockchain.info notified clients with vulnerable accounts.

He is done with crypto anyway, after starting three companies in the industry and winding up a bit poorer than when he began. Now he is working on artificial intelligence.

“Crypto is a pretty hostile place, to be honest, full of people attacking what you’re building, whether they are trying to hack it, or challenges from regulators, or other people interested in seeing bitcoin being taken down,” the former true believer said.

But he said he was happy that he ended up helping a large number of strangers who are still invested emotionally as well as financially: “I honor those still fighting that fight.”

Source: https://www.washingtonpost.com/technology/2023/11/14/bitcoin-wallet-passcode-flaw/
Jump to: