If you have used a private key generated on WalletGenerator.net after August 17, 2018, move your funds immediately to a secure address.
- Who is affected: Anyone who has put funds in a public/private key generated via WalletGenerator.net after August 17, 2018.
- When: August 17, 2018 — ???. While the malicious behavior is not presently found as of May 24, 2019, it could be reintroduced at any point.
- What happened: There were changes to the code being served via WalletGenerator.net that resulted in duplicate keypairs being provided to users. These generated keypairs were also potentially stored server-side.
- What you should do if you are affected: Securely create a new keypair / wallet and move your funds to that new, secure address. Some folks have recommended using bitaddress (offline) via https://github.com/pointbiz/bitaddress.org.
We were able to contact the current owner of the site prior to publishing this post and outlined some of our findings in the hopes they would secure the server and help with the investigation. They responded by stating that they were unable to verify our claims and asking if we were perhaps on a phishing website.
Sometime between the time we were last investigating and testing (the evening of May 22, 2019) and the time we received an email response from the current site owner (midday, May 23, 2019), the code being served to the site was modified to remove the previously-added, malicious, code.
In this strange turn of events, we still have no idea whether the current site owner is the malicious party, if the server is insecure, or both.
We’re still considering this highly suspect and still recommending users who generated public/private keypairs after August 17, 2018 to move their funds. We do not recommend using WalletGenerator.net moving forward, even if the code at this very moment is not vulnerable.
The Long Version
Paper wallet interfaces are a super useful and convenient tool for users to easily generate a private/public keypair though, historically, these interfaces have been susceptible to vulnerabilities in the RNG / key derivation due to malicious or ignorant behavior internally by the site owners or externally by bad actors. If the random number generator is compromised in any way, it can result (and has resulted) in guessable secrets which can result in user funds being stolen.
This is what has happened with WalletGenerator.net.
Read the full article HERE
pinoycrypto.com aggregates, filters, sorts and ranks news from the Philippines and around the globe via public news sources. All content, views & opinions shown on this website belong to the respective author unless otherwise clearly stated. The information on this site is for educational and entertainment purposes only. We do not offer any financial advice or investment advice, nor do we endorse investments into any cryptocurrencies. Please be careful and do your own research and if you see anything not correct on this website please notify us immediately using our contact form. Thank you.