Bitcoin Forum>Other>Beginners & Help
Pages:
Author

Topic: Vulnerability discovered on bitcoinpaperwallet[.]com - DO NOT USE IT - page 2. (Read 520 times)

jseverson
hero member
Activity: 1834
Merit: 759
Re: Vulnerability discovered on bitcoinpaperwallet[.]com - DO NOT USE IT
May 17, 2020, 10:59:01 PM
#8
Quote from: Chivas Regal on May 17, 2020, 09:23:44 PM
Hopefully they are the exception to the rule?

I have been using https://segwitaddress.org/ for newer "number three" wallet addresses and before that https://www.bitaddress.org/ for the older 'number one" addresses.  I can't recall hearing that they are also infected - can anyone confirm they are ok?


It seems like both of those are safe for now, as I couldn't find any legitimate scam accusations. Considering this is an incredibly high stake scenario though, when in doubt, it's best to simply go for the more reputable options. As others have pointed out, Bitcoin Core and Electrum are popular, and therefore more scrutinized, making them safer to trust for people who can't review code by themselves.
Chivas Regal
member
Activity: 88
Merit: 13
Cheers!
Re: Vulnerability discovered on bitcoinpaperwallet[.]com - DO NOT USE IT
May 17, 2020, 09:23:44 PM
#7
Hopefully they are the exception to the rule?

I have been using https://segwitaddress.org/ for newer "number three" wallet addresses and before that https://www.bitaddress.org/ for the older 'number one" addresses.  I can't recall hearing that they are also infected - can anyone confirm they are ok?
hugeblack
legendary
Activity: 2506
Merit: 3645
Buy/Sell crypto at BestChange
Re: Vulnerability discovered on bitcoinpaperwallet[.]com - DO NOT USE IT
May 17, 2020, 09:11:53 PM
#6
Quote from: OcTradism on May 17, 2020, 10:14:09 AM
Nice finding but I still don't catch the reason why people easily accept wallet generator from third-party while they can do that with Bitcoin Core or Electrum (creating wallet offline). After that, print or write private keys or mnemonic seeds on paper. It is safer and not too hard to do.
I can think of two logical reasons:

 - They believe that it is the same as Bitcoin Core or Electrum security because it is open source and addresses can be generated offline.
 - Attractive and elegant designs that are suitable for gifts, and are easy to print.

Quote from: hatshepsut93 on May 17, 2020, 10:24:55 AM
there's hundreds of independent users who check the changes and have enough skill and familiarity with the codebase to do so.
I agree with you, the relative security that many users feel that the wallet is open source or running it offline makes them trust them without reviewing the code.
Unfortunately, the random generation function can produce predictable private keys.

BTW: Here's a python code that generates such predictable addresses:

Code:
#!/usr/bin/env python3
# [repo]    github.com/brianddk/reddit/blob/master/python/bad_address.py
# [req]     pip3 install pycoin mnemonic

from mnemonic import Mnemonic
from pycoin.symbols.btc import network as btc

code = ("abandon abandon abandon abandon abandon abandon" +
        " abandon abandon abandon abandon abandon about")
path = '44H/0H/0H/0/0'
mnemo = Mnemonic("english")

one_privkey = btc.parse.secret_exponent(1).address()
zero_hash   = btc.address.for_p2pkh(bytes([0]*20))
zero_bip39  = btc.keys.bip32_seed(mnemo.to_seed(code)
                ).subkey_for_path(path).address()

print(one_privkey, zero_bip39, zero_hash)   

Quote from: btc_angela on May 17, 2020, 06:24:14 PM
This is not new I supposed, because it was reported last year already:
The above article talks about bitcoinpaperwallet[.]com and not WalletGeneratorDOTnet, although I think both sites are run by the same scammer.

 
btc_angela
hero member
Activity: 2604
Merit: 542
Re: Vulnerability discovered on bitcoinpaperwallet[.]com - DO NOT USE IT
May 17, 2020, 06:24:14 PM
#5
This is not new I supposed, because it was reported last year already:

[1] Disclosure: Key generation vulnerability found on WalletGenerator.net

[2] Disclosure: Key generation vulnerability found on WalletGenerator.net—potentiall
khaled0111
legendary
Activity: 2520
Merit: 2853
Top Crypto Casino
Re: Vulnerability discovered on bitcoinpaperwallet[.]com - DO NOT USE IT
May 17, 2020, 06:10:14 PM
#4
Quote from: OcTradism on May 17, 2020, 10:14:09 AM
Nice finding but I still don't catch the reason why people easily accept wallet generator from third-party while they can do that with Bitcoin Core or Electrum (creating wallet offline).
Not everyone can afford to run bitcoin core and isn't Electrum, in one way or another, a third-party software!
You are missing the point here which is "don't trust, verify".
It doesn't matter whether you use it online or offline if you do not verify its code and know how things work under the hood.
hatshepsut93
legendary
Activity: 2954
Merit: 2145
Re: Vulnerability discovered on bitcoinpaperwallet[.]com - DO NOT USE IT
May 17, 2020, 10:24:55 AM
#3
Browser-based software is inherently less safe, because each time you open the site is like installing a program anew. This can make it harder to audit, because a server can selectively serve malicious code.

Quote from: hugeblack on May 17, 2020, 09:59:58 AM
In brief:

 - Being open-source, code on GitHub, runs offline, does not mean that you are safe.


This is why it's important to use open source software that has the most users, it increases chances of catching malicious modifications early. When Core or Electrum releases new version, there's hundreds of independent users who check the changes and have enough skill and familiarity with the codebase to do so.
OcTradism
hero member
Activity: 1722
Merit: 801
Re: Vulnerability discovered on bitcoinpaperwallet[.]com - DO NOT USE IT
May 17, 2020, 10:14:09 AM
#2
Nice finding but I still don't catch the reason why people easily accept wallet generator from third-party while they can do that with Bitcoin Core or Electrum (creating wallet offline). After that, print or write private keys or mnemonic seeds on paper. It is safer and not too hard to do.
hugeblack
legendary
Activity: 2506
Merit: 3645
Buy/Sell crypto at BestChange
Re: Vulnerability discovered on bitcoinpaperwallet[.]com - DO NOT USE IT
May 17, 2020, 09:59:58 AM
#1
In brief:

 - Being open-source, code on GitHub, runs offline, does not mean that you are safe.
 - If you have not read every line in Khaled, and the code on the site matches Khaled, then you are not safe.
 - Ensure that code being served via the URL match the code on GitHub.
 - Don’t trust, Verify.

Warning: bitcoinpaperwallet[Dot]com/walletgenerator[Dot]net have a backdoor that leaves you at risk of your funds being stolen.

there have been changes in the code being served via the bitcoinpaperwallet[.]com did not match the code on GitHub and thus duplicate keypairs being provided to users(potentially making the keys generated non-random or producible.)

Quote from: https://medium.com/mycrypto/disclosure-key-generation-vulnerability-found-on-walletgenerator-net-potentially-malicious-3d8936485961
When generating a key, you take a super-random number, turn it into the private key, and turn that into the public key / address. However, if the “super-random” number is always “5,” the private key that is generated will always be the same. This is why it’s so important that the super-random number is actually random…not “5.”
Code:
  var base64 = "data:image/png;base64," + btoa([].reduce.call(new Uint8Array(this.response),function(p,c){return p+String.fromCharCode(c)},''));
                for(var i = 0; i < base64.length; i++)
                {
                    if(i+3 < base64.length)
                    {
                        if(base64.charCodeAt(i) != 0 && base64.charCodeAt(i+1) != 0 && base64.charCodeAt(i+2) != 0 && base64.charCodeAt(i) != 1 && base64.charCodeAt(i+1) != 1 && base64.charCodeAt(i+2) != 1)
                        {
                            SecureRandom.seedInt((base64.charCodeAt(i) * base64.charCodeAt(i+1) * base64.charCodeAt(i+2))*(i+1));
                        }
                    }
                }
                SecureRandom.loaded = 1;
            };

Source ----> https://bitcointalksearch.org/topic/m.54444963

Read more ----> https://twitter.com/MyCrypto/status/1261830475003252736
Pages:
Bitcoin Forum>Other>Beginners & Help
Jump to: