MyCrypto Points Out Recognized Paper Wallet Generator Affected By Mysterious Vulnerability
The popular and recognized paper wallet generator has fallen prey to a mysterious vulnerability that could affect users’ funds. The company generates private and public keys for users to be able to store their digital currencies. Nonetheless, users that put funds in these wallets after August 17, 2018, could be affected by a vulnerability. The information was released by MyCrypto in a recently uploaded blog post.
Key Generation Vulnerability Found on WalletGenerator
According to analysts at MyCrypto, the WalletGenerator that the company used has been contaminated. The generator ensures that both public and private keys are truly randomized, which ensures the funds are secured and unhackable. This time, the wallets are being generated from a single, static data source, which means that key-pairs can be reproduced by a bad actor if it has access to the image data.
⚠️ SECURITY ALERT ⚠️
After thorough investigation, we have reason to believe that anyone who has used a wallet from https://t.co/OlWsLvga8g from August 17 2018 and onward is at risk of losing their funds.
— MyCrypto.com (@MyCrypto) May 24, 2019
The blog post explains that anyone who put funds in an address generated through the WalletGenerator after August 17, 2018 can be affected. At the same time, they mentioned that although this behavior is not currently present, it could be reintroduced at any point.
At this time, the code on GitHub is not malicious nor vulnerable, nor has it been malicious or vulnerable previously.
In order to solve this issue, it is important to create a new key pair or wallet and move the funds to that new and secure address. Users recommend using a bitaddress generator that works offline.
As per MyCrypto, they were able to contact the current owner of the site before publishing the post and explained some of the issues they found regarding this situation. The owner responded that they were not able to verify these claims and that they could have been found on a phishing site.
MyCrypto explained about the owner of the site:
“In this strange turn of events, we still have no idea whether the current site-owner is the malicious party, if the server is insecure, or both.”
They recommend users not to use WalletGenerator.ned moving forward. He said that even if the code at this very moment is not vulnerable. Users should consider using other services to generate new wallets.
It is worth mentioning that WalletGenerator is very popular and it offers services to 140,000 monthly users according to SimilarWeb.