Disclosure: Key generation vulnerability found on WalletGenerator.net—potentially malicious.

Harry
Harry
May 24, 2019 · 8 min read

If you have used a private key generated on WalletGenerator.net after August 17, 2018, move your funds immediately to a secure address.

TL;DR

  • Who is affected: Anyone who has put funds in a public / private key generated via WalletGenerator.net after August 17, 2018.
  • When: August 17, 2018 — ???. While the malicious behavior is not presently found as of May 24, 2019, it could be reintroduced at any point.
  • What happened: There were changes to the code being served via WalletGenerator.net that resulted in duplicate keypairs being provided to users. These generated keypairs were also potentially stored server-side.
  • What you should do if you are affected: Securely create a new keypair / wallet and move your funds to that new, secure address. Some folks have recommended using bitaddress (offline) via https://github.com/pointbiz/bitaddress.org.
Image for post
Image for post
Obviously, don’t use these public / private keys.

Preface

We were able to contact the current owner of the site prior to publishing this post and outlined some of our findings in the hopes they would secure the server and help with the investigation. They responded by stating that they were unable to verify our claims and asking if we were perhaps on a phishing website.

The Long Version

Paper wallet interfaces are a super useful and convenient tool for users to easily generate a private / public keypair though, historically, these interfaces have been susceptible to vulnerabilities in the RNG / key derivation due to malicious or ignorant behavior conducted internally by the site owners or externally by bad actors. If the random number generator is compromised in any way, it can result (and has resulted) in guessable secrets which can, in turn, result in user funds being stolen.

This is what has happened with WalletGenerator.net.

Image for post
Image for post

Details of the Compromise

WalletGenerator is a website that generates paper wallets for a handful of different cryptocurrencies. The code served to WalletGenerator.net is intended to be open-source and audited, and (supposedly) matches the code here: https://github.com/walletgeneratornet/WalletGenerator.net.

The Code Changes

We investigated the differences by running a diff between the GitHub code and the server code and noticed (among other things) that an XHR request is being performed to grab the coin image. This is strange because the coin image is already downloaded by your browser when you load the HTML page—there should be no need to request it again.

Image for post
Image for post
Network capture of the XHR request for bitcoin.png
Image for post
Image for post
On the left is the code on GitHub, on the right is the code on production.

Back to the Weird Image Request

Diving deeper into the image file itself, we noticed that the file was unusually large and producing a different sha256sum for different parties. At this point, it appears the image being served by the server was 1) unique for each user (IP address?) and 2) being used to seed the key generation.

$ sha256sum bitcoin.png (United Kingdom)
27cfafd3fe3810a89375a2f3ccc253cd6b2f03b5ff30ec6b41a76f8f2393085d local.png
$ du -hs bitcoin.png
156K bitcoin.png
$ sha256sum bitcoin.png (Netherlands)
4798d4167a98b56dc112878aed578f64ff9fb20fc58774a468e9b53f9aa1fc59 nl.png
$ du -hs bitcoin.png
16K bitcoin.png
$ sha256sum bitcoin.png (California)
4798d4167a98b56dc112878aed578f64ff9fb20fc58774a468e9b53f9aa1fc59 na_cali.png
$ du -hs bitcoin.png
16K bitcoin.png
$ sha256sum bitcoin.png (N. Virginia us-east-1)
86b475b38b137e50e317ce4478cc9abf41d33c158e12d2174dc1dd6f786ec45f onvpn.png
$ du -hs bitcoin.png
156K bitcoin.png
$ sha256sum bitcoin.png (Spain)
4798d4167a98b56dc112878aed578f64ff9fb20fc58774a468e9b53f9aa1fc59 offvpn.png
$ du -hs bitcoin.png
16K bitcoin.png

Generate All the Keys

Approaching from a different angle, we then used the “Bulk Wallet” generator to generate 1,000 keys. In the non-malicious, GitHub version, we are given 1,000 unique keys, as expected.

Steganography?

We wanted to know what was being inserted into the image, so we used binwalk to extract the data (see the Zlib data). This is a legitimate way to construct a PNG image, and we suspect there is some steganography happening to make the image visually identical but having different bytes to each user.

Image for post
Image for post
Seeing some Zlib data at decimal 62 for the malicious image
Image for post
Image for post
Seeing no Zlib data for the non-malicious image

Determining When

Looking at the snapshots on the Wayback Machine, we can determine that the malicious behaviour was introduced sometime after 2018–08–17 and definitely by 2018–08–25.

The Unknowns

  • What determines whether or not you are served the malicious version of the site / image?
  • How the malicious image is generated and what data is added? Is it random or known data (IP address, timestamp)?
  • Who made these changes? The current site owner? A malicious party who gained access to the server?

Timeline

  • 2019-05-17—2019-05-20: Investigation and confirmation of malicious behaviour.
  • 2019-05-17—2019-05-22: Consultations with industry security experts on how best to handle the situation to minimize loss of user funds.
  • 2019-05-22: Notified current site owner via email.
  • 2019-05-23: Received (unhelpful) response from current site owner.
  • 2019-05-24: Public disclosure.

Special Thanks

  • Thanks to PhishFort for funding addresses to see if they are auto-swept!
  • Thanks to everyone who provided insights, advice, and confirmation of our initial assumptions.
  • Thanks to MyCrypto for giving me the ability to investigate these types of situations and providing necessary support and resources.

Updates

  • This post will be updated if / when new information comes to light. It was last modified 2019–05–24 @ 5:30am PT.

For now, we’ll reiterate again: If you’ve generated a public/private keypair with WalletGenerator.net from August 17, 2018, and beyond, you need to move your funds to a new, secure wallet immediately.

MyCrypto

The Official MyCrypto Blog

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store