Unciphered‘s exhaustive 22-month investigation has unearthed a significant flaw in BitcoinJS, a widely used browser-based cryptocurrency wallet generation tool. This flaw stems from the SecureRandom function in the JSBN javascript library, compounded by weaknesses in major browsers’ Math.random implementations. This vulnerability, affecting wallets created from 2011 to 2015, makes them susceptible to attacks, with earlier wallets being more vulnerable.

Unciphered disclosed that it has coordinated with various entities to alert millions of users about this vulnerability. For individuals with assets in affected wallets, immediate action is recommended: transferring assets to newly generated wallets using reliable software. This proactive step is crucial for safeguarding digital assets against potential exploitation.

The vulnerability first surfaced for the team during a project for a client locked out of a Blockchain.com bitcoin wallet. This led to the rediscovery of a potential issue in BitcoinJS-generated wallets from 2011-2015. The implication is staggering, potentially affecting millions of cryptocurrency wallets generated during this period, with a significant value of assets at risk.

The vulnerability arises from the way BitcoinJS, a Javascript implementation of Bitcoin, used the JSBN library’s SecureRandom function. This function’s deficiency, particularly in its entropy collection and PRNG (pseudo-random number generator), creates a situation where key material could potentially be recovered by an attacker. The SecureRandom function’s failure to effectively utilize browser cryptographic functions compounded this issue, relying instead on weaker RNG methods.

This situation is critical because bitcoin private keys, requiring 256 bits of entropy, were generated with less entropy than needed. The varied impact of this vulnerability makes some wallets more susceptible to attacks than others. However, certain mitigation measures, like incorporating additional entropy sources, have been implemented over time, reducing the risk for newer wallets.

The vulnerability extends beyond bitcoin, potentially affecting dogecoin, litecoin, and zcash-based wallets. Various wallet services and projects that derived their code from BitcoinJS, including popular ones like Dogechain.info and Blockchain.info, might also be impacted. This highlights the widespread implications of the vulnerability across multiple cryptocurrencies.

Unciphered’s researchers detail that historically, third-party library dependencies have often led to vulnerabilities in software development. Similar issues have been seen in other projects, such as OpenSSL on Debian platforms. The current situation with BitcoinJS and its ecosystem exemplifies this ongoing risk in software development, especially when it comes to securing financial assets and sensitive information.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。