A cybersecurity startup named Unciphered has revealed a critical vulnerability in cryptocurrency wallets dating from 2011 to 2015 that were created using BitcoinJS, a software for generating Bitcoin wallets. This security flaw, which could potentially affect billions of dollars in digital assets, was unearthed during an extensive 22-month investigation by the firm.
The vulnerability surfaced while Unciphered was assisting a client who could not access their Blockchain.com bitcoin wallet. The issue stems from the SecureRandom function within the JSBN javascript library and is exacerbated by weaknesses found in the Math.random function implementations of major browsers during that period.
The SecureRandom function's primary role is to collect entropy to generate random numbers needed for creating secure Bitcoin private keys. However, due to insufficient entropy collection and flaws in the Pseudo Random Number Generator (PRNG), the function did not provide the required 256 bits of randomness. As a result, some wallets are more susceptible to attacks where key material could be retrieved by malicious actors.
The risk presented by this flaw has been somewhat reduced over time as new wallets have incorporated additional sources of entropy, enhancing security measures. Nonetheless, the potential impact of this vulnerability is significant, affecting not only bitcoin but also wallets based on dogecoin, litecoin, and zcash. Moreover, any services and projects that derived their code from BitcoinJS during those years might also be at risk.
This article was generated with the support of AI and reviewed by an editor. For more information see our T&C.