Walletgenerator.net, the open-source client side-wallet generator, came under scrutiny after reports of its code being exposed to a malicious vulnerability.
Los Angeles-based blockchain firm, MyCrypto, urged users to move funds to a secure address if a private key was generated on WalletGenerator.net after August 17, 2018. The tweet read,
After thorough investigation, we have reason to believe that anyone who has used a wallet from https://t.co/OlWsLvga8g from August 17 2018 and onward is at risk of losing their funds.
— MyCrypto.com (@MyCrypto) May 24, 2019
According to the findings of the open-source blockchain firm, MyCrypto, there were changes to the code being served via WalletGenerator.net that generated “duplicate keypairs” for users on its platform which were potentially stored server-side.
WalletGenerator.net produces Paper wallet interfaces, which generate a private/public key pair for users, are “historically” very unsafe. Once the random number generator is compromised, funds can be easily stolen from the user’s wallet, cited MyCrypto.
The firm noted that the code being served via the WalletGenerator.net URL did not match the code on GitHub which raised suspicion.
When asked how the LA-based firm detect the “subtle difference” in the images, a Twitter user, @sniko_ who also works with MyCrypto, tweeted,
“You get identical keys if you run the generation process with and without refreshing. After x timeframe, your image hash changes so you get different keys. There were differences in the code on the server to GitHub which first raised suspicion, then we investigated”
The official blog post read that the code has been changed and the “malicious behavior” is not currently found as of May 24, 2019, however, it could be reintroduced at any point. MyCrypto also revealed that it is not clear who introduced malicious changes to the code.
The post Malicious code added to WalletGenerator.net; claims blockchain firm appeared first on AMBCrypto.