Disclosure: Key generation vulnerability found on WalletGenerator.net—potentiall

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: Orange Mango on May 25, 2019, 05:11:49 PM

What if the wallets people dev for crypto is on a timer and one day all wallets are emptied and hell breaks loose. Could this happen?

As others have said, the way to address this is to only use open source software and to spend some time auditing the code prior to using it. If you don't have the time or ability to do this, then you have to rely on what other trusted users are saying.

Specifically in terms of crypto, you can mitigate this risk by running your wallets on an air gapped device (i.e. a device which will never have an internet connection). It doesn't matter if the wallet in question is programmed to email your private keys to the devs if it never gains access to the internet. You still have to be careful how you would transfer signed transactions to an internet enabled device though - conceivably the wallet in question could write to a USB (for example) which would then send off the data in question whenever internet access was achieved.

mk4

legendary

Activity: 2716

Merit: 3817

🪸 NotYourKeys.org 🪸

Quote from: pooya87 on May 25, 2019, 11:12:42 PM

well security doesn't come cheap. it requires lots of effort. so the question is whether the user values his security (which can be based on how much bitcoin he owns) enough to spend time learning how to do it. i believe the reason why most people do crazy things like holding their coins on Coinbase is that they don't value their security that much.

Which is a huge huge problem in itself. People not knowing how vulnerable exchanges and custodial wallets is to hacks and fraud. Taking their security easily as if they only have a few dollars of BTC. In the end it's their fault I guess; due to them not educating themselves first before investing huge amounts of money.

pooya87

legendary

Activity: 3444

Merit: 10558

Quote from: mk4 on May 25, 2019, 02:07:06 AM

Quote from: nc50lc on May 25, 2019, 12:28:16 AM

You can suggest them to create their own paper wallet using other means, manual or by other offline tools. It's not too "techie".

Creating an airgapped offline device itself could be very complicated for most people. You need to understand that not everyone knows how to work with basic computer stuff; and this is one of the reasons why a lot of people still like holding their funds on Coinbase and other similar platforms.

well security doesn't come cheap. it requires lots of effort. so the question is whether the user values his security (which can be based on how much bitcoin he owns) enough to spend time learning how to do it. i believe the reason why most people do crazy things like holding their coins on Coinbase is that they don't value their security that much.

Quote from: Orange Mango on May 25, 2019, 05:11:49 PM

How do I know if I type my info into a program it is safe?

you find the source code of whatever open source application you use, in this case Brave browser and you go through it to see what it really does. then you can also clone the code and build it yourself instead of running the binaries they provide. https://github.com/brave/brave-browser

TryNinja

legendary

Activity: 2758

Merit: 6830

Quote from: Orange Mango on May 25, 2019, 05:11:49 PM

I have a question to ask. I always wonder. When I type in my password and username what can be done with that info. Look at brave browser. I will make a fictional scenario.

Let us say brave browser collects all passwords and for which site they are for and emails it daily to the dev?? How do I know if I type my info into a program it is safe? What if the wallets people dev for crypto is on a timer and one day all wallets are emptied and hell breaks loose. Could this happen? Please say something to calm my nerves.

Officially, you don’t unless you audit the source code (if available) and build the software yourself.

Now, you don’t even know if Windows saves your passwords and keystrokes when you use it. Or if your PC manufacturer implemented a chip that opens a backdoor on it, etc, etc... At some point you will have to trust someone.

My suggestion: on most cases, don’t lose your head with it. It’s not worth it. Obviously you shouldn’t trust random softwares or websites, but most known softwares can be trusted (in part). Just do your research and see what other (trusted) members say about it.

Orange Mango

member

Activity: 130

Merit: 10

I have a question to ask. I always wonder. When I type in my password and username what can be done with that info. Look at brave browser. I will make a fictional scenario.

Let us say brave browser collects all passwords and for which site they are for and emails it daily to the dev?? How do I know if I type my info into a program it is safe? What if the wallets people dev for crypto is on a timer and one day all wallets are emptied and hell breaks loose. Could this happen? Please say something to calm my nerves.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: mk4 on May 25, 2019, 02:07:06 AM

Creating an airgapped offline device itself could be very complicated for most people.

Exactly. The average person is not particularly tech-savvy. For crypto to become mainstream, securely holding and spending it needs to be as easy as it is to securely hold and spend fiat. Most people would struggle to even use Electrum as it currently stands, let alone create an air-gapped computer and figure out how to export and restore private keys. They need something easy like most mobile banking apps, or indeed, an easy interface like most web wallets offer. Unfortunately, most people would be more than happy to trade off security for complete simplicity of use.

For the majority of people, the best thing is to buy either a Trezor or a Ledger. If you follow the instructions provided carefully, it's pretty hard to go wrong.

mk4

legendary

Activity: 2716

Merit: 3817

🪸 NotYourKeys.org 🪸

Quote from: nc50lc on May 25, 2019, 12:28:16 AM

You can suggest them to create their own paper wallet using other means, manual or by other offline tools. It's not too "techie".

Creating an airgapped offline device itself could be very complicated for most people. You need to understand that not everyone knows how to work with basic computer stuff; and this is one of the reasons why a lot of people still like holding their funds on Coinbase and other similar platforms.

nc50lc

legendary

Activity: 2394

Merit: 5531

Self-proclaimed Genius

Quote from: mk4 on May 25, 2019, 12:14:53 AM

This is one of the reasons why I really don't suggest the usage of paper wallets to almost everyone. So much unsecure and fraudulent wallet generators out there. Creating one in a secure manner through bitaddress could be complicated enough to a typical non-techie person.

Why Paper wallets in general though?
You can suggest them to create their own paper wallet using other means, manual or by other offline tools. It's not too "techie".

Example:

Create a wallet using Electrum on an AirGapped (offline) PC
Export 1 private key address pair.
Copy it to a piece of paper (Try to restore a new wallet using the private key for verification)
Delete the Wallet, low-level format the PC or crush the hard drive (for paranoids) after.

mk4

legendary

Activity: 2716

Merit: 3817

🪸 NotYourKeys.org 🪸

This is one of the reasons why I really don't suggest the usage of paper wallets to almost everyone. So much unsecure and fraudulent wallet generators out there. Creating one in a secure manner through bitaddress could be complicated enough to a typical non-techie person.

pooya87

legendary

Activity: 3444

Merit: 10558

yet another reason why you should never use a closed source wallet/tool (in this case the website) to generate a wallet, private key or seeds. instead you should always stick to open source tools (in this case the code on GitHub instead) and run it offline.

Baofeng

legendary

Activity: 2576

Merit: 1655

If you have used a private key generated on WalletGenerator.net after August 17, 2018, move your funds immediately to a secure address.

Quote

TL;DR
Who is affected: Anyone who has put funds in a public/private key generated via WalletGenerator.net after August 17, 2018.
When: August 17, 2018 — Huh

. While the malicious behavior is not presently found as of May 24, 2019, it could be reintroduced at any point.
What happened: There were changes to the code being served via WalletGenerator.net that resulted in duplicate keypairs being provided to users. These generated keypairs were also potentially stored server-side.
What you should do if you are affected: Securely create a new keypair / wallet and move your funds to that new, secure address. Some folks have recommended using bitaddress (offline) via https://github.com/pointbiz/bitaddress.org.

https://medium.com/mycrypto/disclosure-key-generation-vulnerability-found-on-walletgenerator-net-potentially-malicious-3d8936485961

I found an old thread (2014) promoting this service here. So there could be potential victims, and for those newbies, try to learn everything before using a paper wallet generator.

Topic: Disclosure: Key generation vulnerability found on WalletGenerator.net—potentiall (Read 236 times)