WalletGenerator.net Issued the Same Key to Multiple Users

Tuesday, 28/05/2019 | 07:54 GMT by Arnab Shome
  • The developers of the project say they could not verify claims of malicious code in their software
WalletGenerator.net Issued the Same Key to Multiple Users
Finance Magnates

Popular crypto paper wallet maker WalletGenerator.net ran a set code with a serious vulnerability that may have affected its users, a security researcher said.

Revealed by Harry Denley, a researcher with MyCrypto.com, the vulnerability with the wallet generator's open source code available on Github issued identical public and Private Key pairs to multiple users.

The malicious code was generating a similar set of keys since August 17 of last year. Though Denly did not find malicious behavior in the present set of codes, he is not certain when the previous version was replaced by the secure version.

To test and confirm the vulnerability, the researcher ran a rigorous test on the open source codes archived on Github.

“Approaching from a different angle, we then used the “Bulk Wallet” generator to generate 1,000 keys. In the non-malicious, GitHub version, we are given 1,000 unique keys, as expected,” he wrote on the May 24 Medium post.

“However, using WalletGenerator.net at various times between May 18, 2019 — May 23, 2019, we would only get 120 unique keys per session. Refreshing our browser, switching VPN locations, or having a different party perform the same test would result in a different set of 120 keys being generated.”

Randomness is the key

Vaguely explaining the importance of the process of key generation, Denley noted: “ELI5: When generating a key, you take a super-random number, turn it into the private key, and turn that into the public key/address. However, if the ‘super-random' number is always ‘5,’ the private key that is generated will always be the same. This is why it’s so important that the super-random number is actually random…not ‘5.”

Ignorant or suspicious

MyCrypto also reached out to the developers of WalletGenerator.net and informed them of the issue while it ran the tests. Although the developers patched the malicious code, according to Denley’s post, they responded that the claims could not be verified and asked if he was on a “Phishing website.”

Popular crypto paper wallet maker WalletGenerator.net ran a set code with a serious vulnerability that may have affected its users, a security researcher said.

Revealed by Harry Denley, a researcher with MyCrypto.com, the vulnerability with the wallet generator's open source code available on Github issued identical public and Private Key pairs to multiple users.

The malicious code was generating a similar set of keys since August 17 of last year. Though Denly did not find malicious behavior in the present set of codes, he is not certain when the previous version was replaced by the secure version.

To test and confirm the vulnerability, the researcher ran a rigorous test on the open source codes archived on Github.

“Approaching from a different angle, we then used the “Bulk Wallet” generator to generate 1,000 keys. In the non-malicious, GitHub version, we are given 1,000 unique keys, as expected,” he wrote on the May 24 Medium post.

“However, using WalletGenerator.net at various times between May 18, 2019 — May 23, 2019, we would only get 120 unique keys per session. Refreshing our browser, switching VPN locations, or having a different party perform the same test would result in a different set of 120 keys being generated.”

Randomness is the key

Vaguely explaining the importance of the process of key generation, Denley noted: “ELI5: When generating a key, you take a super-random number, turn it into the private key, and turn that into the public key/address. However, if the ‘super-random' number is always ‘5,’ the private key that is generated will always be the same. This is why it’s so important that the super-random number is actually random…not ‘5.”

Ignorant or suspicious

MyCrypto also reached out to the developers of WalletGenerator.net and informed them of the issue while it ran the tests. Although the developers patched the malicious code, according to Denley’s post, they responded that the claims could not be verified and asked if he was on a “Phishing website.”

About the Author: Arnab Shome
Arnab Shome
  • 6611 Articles
  • 97 Followers
About the Author: Arnab Shome
Arnab is an electronics engineer-turned-financial editor. He entered the industry covering the cryptocurrency market for Finance Magnates and later expanded his reach to forex as well. He is passionate about the changing regulatory landscape on financial markets and keenly follows the disruptions in the industry with new-age technologies.
  • 6611 Articles
  • 97 Followers

More from the Author

CryptoCurrency

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}