Bitcoin wallets created between 2011 and 2015 are vulnerable to a new type of exploit called Randstorm which makes it possible to recover passwords and gain unauthorized access to multiple wallets spanning multiple blockchain platforms.
“Randstorm() is a term we coined to describe a collection of bugs, design decisions, and API changes that, when in contact with each other, combine to reduce the quality of random number created by web browsers in a certain period ( 2011-2015),” No miss exposed in a report published last week.
It is estimated that approximately 1.4 million bitcoins are parked in wallets created with potentially weak cryptographic keys. Customers can check if their wallets are vulnerable at www.keybleed(.)com.
The cryptocurrency recovery company said it found the problem again in January 2022 while it working for an unnamed customer who is locked in its Blockchain.com wallet. The issue is first emphasized back in 2018 by a security researcher with the alias “ketamine.”
As a result, the lack of sufficient entropy can be exploited to perform brute-force attacks and recover wallet private keys generated with the BitcoinJS library (or projects that depend on it). The easiest wallets to open are those created before March 2012.
The findings once again shed new light on the open source dependencies that power the software infrastructure and how vulnerabilities in such foundational libraries can pose risks to the chain of supply, as previously revealed in the case of Apache Log4j in late 2021.
“The error has already been committed in the wallets created with the software, and it will remain there forever unless the funds are transferred to a new wallet created with the new software,” Unciphered said.