Vulnerability discovered on bitcoinpaperwallet[.]com - DO NOT USE IT

Timelord2067

legendary

Activity: 3696

Merit: 2219

💲🏎️💨🚓

Quote from: pooya87 on May 10, 2021, 10:56:08 PM

Quote from: Timelord2067 on May 10, 2021, 07:58:49 PM

What I'm talking about is taking the other person's part private key and generating a vanity wallet address

Don't you mean public key?

No.

Part private key is what I said. Feel free to read up on the subject then we can pick up this conversation where I'm now going to leave it off (until you read up on the subject that is).

Quote from: pooya87 on May 10, 2021, 10:56:08 PM

I can't see any reason why the other party needs "private" key, partial or not. They only need the public key and then they can move from there by incrementing that point one G at a time until they find the correct public key that generates the desired address. Then all they have to do is to send back the number of times they added G to that point. User can simply add that value to their private key and get the new private key which corresponds to the public key of the vanity address.

It doesn't work like that - as I said, I encourage you to read up on the subject.

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: Timelord2067 on May 10, 2021, 07:58:49 PM

What I'm talking about is taking the other person's part private key and generating a vanity wallet address

Don't you mean public key?
I can't see any reason why the other party needs "private" key, partial or not. They only need the public key and then they can move from there by incrementing that point one G at a time until they find the correct public key that generates the desired address. Then all they have to do is to send back the number of times they added G to that point. User can simply add that value to their private key and get the new private key which corresponds to the public key of the vanity address.

Timelord2067

legendary

Activity: 3696

Merit: 2219

💲🏎️💨🚓

Quote from: NotATether on May 10, 2021, 06:14:56 AM

Except how many people know how to split the private key in the first place? Or know that there is actually no splitting involved but you're just taking two random PKs and combining them together?

Most of the procedures people use to generate a split vanity address involves such voodoo as generating a random PK somewhere and then combining them on bitaddress.org.

There is one post that does explain what Bitaddress is doing, and I wrote it, but it has yet to be featured in anyone's software.

Not quite.

What I'm talking about is taking the other person's part private key and generating a vanity wallet address - the result is imported by the sender (the result) into their own wallet. No-one else can import the found result into their own wallet. AFAIA no-one has found a vulnerability with this method and it was, or still is, being used and can be found in the various vanity wallet generating threads around the Forum.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: Timelord2067 on May 09, 2021, 05:23:55 PM

Quote from: NotATether on May 09, 2021, 09:13:56 AM

I wouldn't trust a VanitySearch site that isn't made by me or WhyFy.

The issue is more about who creates the site rather than what is used to create it.

Unless of course you were provided with a Part Private Key in which case there is no chance of interference. I have rolled a handful of vanity wallets for others using this method via @LoyceV's thread - it was for me to gain some experience at doing such things (and I always ensured LoyceV was paid as it was their thread).

If a website were to take your part private key then there wouldn't be any issue surrounding any website going rogue.

Except how many people know how to split the private key in the first place? Or know that there is actually no splitting involved but you're just taking two random PKs and combining them together?

Most of the procedures people use to generate a split vanity address involves such voodoo as generating a random PK somewhere and then combining them on bitaddress.org.

There is one post that does explain what Bitaddress is doing, and I wrote it, but it has yet to be featured in anyone's software.

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: bitcoinVPSD on May 09, 2021, 04:04:37 PM

Quote from: NotATether on May 09, 2021, 09:13:56 AM

I wouldn't trust a VanitySearch site that isn't made by me or WhyFy.

The issue is more about who creates the site rather than what is used to create it.

It will be difficult for me to know who I can trust. Just a small search, I can get many search results related to Vanity Search. Most of them are open source on Github. I can't even tell which one is safe or not. It is possible to scan the file before installing, but there might still be vulnerabilities like this subject, right?

I can tell you who not to trust.
You should never trust a website, even if it is popular. For example you should never trust bitaddress.org website even though it is a popular project. Because it is a website and you can't tell what really is happening when you generate a key there.
You should also never trust a Vanity address creator that generates the key on their own. There is nothing stopping them from saving the key. There was ways to make this safe by just giving them a public key and they work from there but there are some complications involved.
And finally being open source and on Github doesn't mean they are safe. Being that and popular to have their code reviewed by others makes them safe.

libert19

hero member

Activity: 2520

Merit: 952

Quote from: OcTradism on May 17, 2020, 09:14:09 AM

Nice finding but I still don't catch the reason why people easily accept wallet generator from third-party while they can do that with Bitcoin Core or Electrum (creating wallet offline). After that, print or write private keys or mnemonic seeds on paper. It is safer and not too hard to do.

What are the chances that thing mentioned in op can happen with wallets you mentioned as well?

Timelord2067

legendary

Activity: 3696

Merit: 2219

💲🏎️💨🚓

Quote from: NotATether on May 09, 2021, 09:13:56 AM

I wouldn't trust a VanitySearch site that isn't made by me or WhyFy.

The issue is more about who creates the site rather than what is used to create it.

Unless of course you were provided with a Part Private Key in which case there is no chance of interference. I have rolled a handful of vanity wallets for others using this method via @LoyceV's thread - it was for me to gain some experience at doing such things (and I always ensured LoyceV was paid as it was their thread).

If a website were to take your part private key then there wouldn't be any issue surrounding any website going rogue.

bitcoinVPSD

full member

Activity: 442

Merit: 101

Quote from: NotATether on May 09, 2021, 09:13:56 AM

I wouldn't trust a VanitySearch site that isn't made by me or WhyFy.

The issue is more about who creates the site rather than what is used to create it.

It will be difficult for me to know who I can trust. Just a small search, I can get many search results related to Vanity Search. Most of them are open source on Github. I can't even tell which one is safe or not. It is possible to scan the file before installing, but there might still be vulnerabilities like this subject, right?

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: bitcoinVPSD on May 08, 2021, 05:19:38 PM

I have no knowledge of Bitcoin technology, so for safety I think I need to be answered. Is it safe to use open sources to create another site? For example Vanity Search or the like to customize your address. I see some people providing instructions on how to do it, is it really safe? Is the open source you mentioned like Vanity Search?

I wouldn't trust a VanitySearch site that isn't made by me or WhyFy.

The issue is more about who creates the site rather than what is used to create it.

bitcoinVPSD

full member

Activity: 442

Merit: 101

I have no knowledge of Bitcoin technology, so for safety I think I need to be answered. Is it safe to use open sources to create another site? For example Vanity Search or the like to customize your address. I see some people providing instructions on how to do it, is it really safe? Is the open source you mentioned like Vanity Search?

seoincorporation

legendary

Activity: 3346

Merit: 3125

Users should avoid any service to generate wallets online. There is always a risk, even if the site inst vulned the key could get hacked with spoofing or a Man in middle attack. That's why I always recommend to the users to generate their address with the software on their machines, a good tool for this task is vanity gen. If we use it on a virtual machine without an internet connection we can be safe while creating our addresses.

Never use a paper wallet online service, that's a big mistake and people who do it are risking their coins.

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: Chivas Regal on May 07, 2021, 05:42:18 PM

I'm wondering when they went rogue in case it was before or after my paper wallets were created.

The malicious site would have created a key that is known by the owner of the website and any coins that you had sent to that address would have been stolen by the time it was created. So if they are untouched until today, there is a good chance that they are safe; however, I wouldn't take any risks if I were you, I'd simply create a new paper wallet the "correct way" and move the coins to the new one.

Chivas Regal

member

Activity: 88

Merit: 13

Cheers!

Quote from: pooya87 on May 05, 2021, 10:59:26 PM

You don't need a website or a specialized tool to create a paper wallet because there is nothing special about a paper wallet. It is simply a private key written on a piece of paper. You can just download the main client of the coin you want to create the paper wallet for (in this case Dogecoin core for Dogecoin) and create a new wallet and export one of its private keys with the corresponding address and write that down on a piece of paper.

You misunderstand my question my friend, I am asking because many years ago I'd done some trades on an exchange for DOGE for a good price and figured I'd either buy the coins back later for a lower price or cash them in for bitcoins. I did neither and a little while later I heard the exchange was in trouble (they ended up folding) so I made a couple of paper wallets (because in those days I couldn't afford the storage to download the bitcoin, dogecoin and some other coin's block-chains) and that's where this website comes in as it was the one I used to create the DOGE coin paper wallets. I'm wondering when they went rogue in case it was before or after my paper wallets were created.

Quote from: hugeblack on May 05, 2021, 03:18:34 PM

AFAIK, 7 Years ago, project was open source and giving paper wallet using open source code.
at some point from 2018 to 2019 project tern into scam and changing code from real open source one to other scam one.
you can read more about this story from google. site now is scam and using that special domain name to earn more.

If that's the case, then my coins are safe as I'd created the paper wallets more than a year earlier than that time frame. Thanks.

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: Chivas Regal on May 04, 2021, 04:20:50 AM

Has the DOGE coin paper wallet site been affected too?
https://bitcoinpaperwallet [dot] com/dogecoin-paper-wallet-generator/
When was the original modification (scam) of the bitcoin paper wallet website made?

You don't need a website or a specialized tool to create a paper wallet because there is nothing special about a paper wallet. It is simply a private key written on a piece of paper. You can just download the main client of the coin you want to create the paper wallet for (in this case Dogecoin core for Dogecoin) and create a new wallet and export one of its private keys with the corresponding address and write that down on a piece of paper.

hugeblack

legendary

Activity: 2688

Merit: 3983

Quote from: Chivas Regal on May 04, 2021, 04:20:50 AM

Has the DOGE coin paper wallet site been affected too?

https://bitcoinpaperwallet [dot] com/dogecoin-paper-wallet-generator/

When was the original modification (scam) of the bitcoin paper wallet website made?

AFAIK, 7 Years ago, project was open source and giving paper wallet using open source code.
at some point from 2018 to 2019 project tern into scam and changing code from real open source one to other scam one.
you can read more about this story from google. site now is scam and using that special domain name to earn more.

Chivas Regal

member

Activity: 88

Merit: 13

Cheers!

Quote from: TravelMug on January 09, 2021, 07:29:10 PM

Just want to bump this thread, it's already 2021 but the website is up and still scamming bitcoin enthusiast. And according to this reddit post, help me shut down the bitcoinpaperwallet.com scam.

I have submitted the report already, it's about time that the community work together again to put a stop to the people behind this project.

Has the DOGE coin paper wallet site been affected too?

https://bitcoinpaperwallet [dot] com/dogecoin-paper-wallet-generator/

When was the original modification (scam) of the bitcoin paper wallet website made?

TravelMug

hero member

Activity: 2632

Merit: 833

Just want to bump this thread, it's already 2021 but the website is up and still scamming bitcoin enthusiast. And according to this reddit post, help me shut down the bitcoinpaperwallet.com scam.

I have submitted the report already, it's about time that the community work together again to put a stop to the people behind this project.

bob123

legendary

Activity: 1624

Merit: 2481

This post has been published a year ago.

That's one of the reasons to not use such a service/website to generate a paper wallet. Not even when downloading the source code from github and running it on an offline machine.
It is just not worth the risk.

btc_angela

hero member

Activity: 2660

Merit: 551

Quote from: hugeblack on May 17, 2020, 08:11:53 PM

Quote from: btc_angela on May 17, 2020, 05:24:14 PM

This is not new I supposed, because it was reported last year already:

The above article talks about bitcoinpaperwallet[.]com and not WalletGeneratorDOTnet, although I think both sites are run by the same scammer.

The link you gave above is the same link that is included on that thread that I've posted.

You can check it yourself, that's why I said that this is nothing new and have been exposed about the same time last year, May 2019.

But I have to agree that probably the same bad actor are behind this websites.

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: Chivas Regal on May 17, 2020, 08:23:44 PM

Hopefully they are the exception to the rule?

I have been using https://segwitaddress.org/ for newer "number three" wallet addresses and before that https://www.bitaddress.org/ for the older 'number one" addresses. I can't recall hearing that they are also infected - can anyone confirm they are ok?

you should always do these yourself and only trust your own judgement. to learn how to do it you have to go to the corresponding github repository and download the source code from there. one indication of whether it is changed or not is the last commit date. for example for https://github.com/pointbiz/bitaddress.org it is Dec 24, 2016 which is a good indication that the code is the same as it was 4 years ago.

i would also suggest using a trusted desktop wallet to generate a paper wallet though.

Topic: Vulnerability discovered on bitcoinpaperwallet[.]com - DO NOT USE IT (Read 552 times)