Millions of Cryptocurrency Wallets Found Affected by Randstorm Flaw | Cyware Hacker News
Millions of browser-based cryptocurrency wallets are affected by an open-source software vulnerability that can be abused by attackers to steal over $1 billion worth of cryptocurrency. The vulnerability, dubbed as Randstorm, affects the 0.13 version of Bitcoin JS, a popular JavaScript library used to generate cryptocurrency wallets.
More in detail
The vulnerability primarily affects multiple crypto projects and blockchains generated using BitcoinJS between 2011 and 2015.
- According to advanced cryptocurrency recovery company Unciphered, the Randstorm vulnerability can be abused by gaining access to the 32 to 64-bit GUID wallet number generated during the wallet creation.
- Since these numbers are available one in several thousand instead of one in a trillion, they make wallets susceptible to brute-force attacks.
- While the vulnerability is exploitable, the amount of effort required to exploit vulnerable wallets varies, and that considerably increases over time.
- Researchers found that it was more difficult to launch an attack against impacted wallets generated in 2014 as compared to those generated in 2012.
Affected wallets
- At least 15 vendors are affected by the vulnerability and these include the names Blockchain.info (renamed Blockchain.com), Dogechain.info, Bitgo, Bitcore by BitPay, and BitPay.
- Litecoin and Zcash wallets are also possibly affected by the flaw.
- Many GitHub projects that incorporated BitcoinJS during the affected time frame could also be vulnerable to cyberattacks.
Conclusion
Individuals with assets in the affected wallets are suggested to move to a newly generated wallet created with better-trusted software. Besides, vendors are recommended to audit the GitHub library and BitcoinJS ecosystem to determine that the sensitive information and financial assets of users are secure.