A vulnerability on a code running on wallet creator WalletGenerator.net was discovered by Harry Denley, a security researcher for MyCrypto. Denley explained in a recent blog post how the online crypto paper wallet creator ran on a code that caused pairs of private and public keys to be issued to numerous users.
Denley said the code was reportedly running by August 2018 and was only fixed by May 23. The live code on the company’s site was alleged to be designed as open source and should be audited on GitHub. However, there were discrepancies found between them.
MyCrypto’s security researcher went over the live code and determined that the keys were created deterministically instead of randomly on the website’s live version.
120 out of 1,000 Unique Keys
In a test conducted May 18 to 23, MyCrypto tried to utilize WalletGenerator’s bulk generator to create 1,000 keys. The GitHub version came back with 1,000 distinct keys while the live code only returned with 120 keys. They ran the generator several times and it always returned with 120 keys instead of the expected 1,000 unique keys even after other factors were changed, including the user, VPN and browser refreshes.
Randomness is required to create the unique pairings needed to ensure the security of the paper wallets.
WalletGenerator has reportedly resolved the determinism issue after MyCrypto discussed the problem with the company even while it was still in the midst of its research. The wallet creator was said to have claimed that MyCrypto’s allegations couldn’t be verified and even asked if the company was a “phishing website.”