Warning of Critical Randstorm Vulnerability in Crypto Wallets
A recent report by a blockchain security company Unciphered has revelead a critical vulnerability dubbed “Randstorm” affecting cryptocurrency wallets created between 2011 and 2015. It makes it possible to recover passwords and gain unauthorized access to a multitude of wallets spanning blockchain platforms. The report disclosed that Randstorm could affect several blockchain projects in the cryptocurrency industry, including Bitcoin, Dogecoin, Litecoin and ZCash.
The crux of the Randstorm vulnerability stems from the use of Bitcoin JS library, a widely used JavaScript library for developing crypto wallets. It was this library that contained vulnerable open-source code from a Stanford University project, which led to a lack of randomness when generating cryptographic keys. The weakness in random number generation, which is crucial to the security of wallets, stems from the library’s dependency on the SecureRandom() function and the web browsers’ implementation of Math.random() at that time. Together, these factors created a scenario in which the cryptographic keys of wallets could be more easily decrypted.
It is estimated that approximately 1.4 million bitcoins are at risk. Although the vulnerable code in the BitcoinJS library was discontinued in March 2014, this risk persists for wallets generated before this change. The easiest wallets to crack open are those that were generated before March 2012. Users can check if their wallets are vulnerable at www.keybleed.com.
The discovery of the vulnerability was part of a process involving coordinated disclosures with the affected parties and extensive analysis to prevent the release of information about the vulnerability that could be exploited by potential threat actors. Unciphered contacted vendors and blockchain platforms to warn them of the vulnerability. As a result, more than a million users were notified of the potential risk to their wallets. The company highlights the need for users of affected wallets to move their assets to new wallets generated with updated and secure software.
The disclosure of the Randstorm vulnerability speaks to a bigger issue of software supply chain security, in particular dependencies on open-source software and libraries, and how vulnerabilities in such foundational libraries can be a threat to the supply chain, as was previously revealed in the case of Apache Log4j in late 2021.
Sources:
https://thehackernews.com/2023/11/randstorm-exploit-bitcoin-wallets.html?m=1.
https://www.ibtimes.com/experts-warn-21b-risk-due-vulnerabilities-obsolete-crypto-wallets-3718605.
« Späť na zoznam