Website for storing digital currencies hosted code with a sneaky backdoor
A website that bills itself as providing a safer way to store Bitcoin and other digital currencies has been using a coding sleight of hand to generate private keys that are suspiciously trivial for the operators to guess, leaving all funds stored in the wallets open to theft, researchers with a different service said on Friday.
WalletGenerator.net provides code for creating what are known as paper wallets for 197 different cryptocurrencies. Paper wallets were once billed as a secure way to store digital coins because—in theory, at least—the private keys that unlock the wallets are stored on paper, rather than on an Internet-connected device that can be hacked. (In reality, paper wallets are open to hack for a variety of reasons.) While the site advises people to download the code from this Github page and run it while the computer is unplugged from the Internet, it also hosted a simpler, stand-alone service above all the instructions for generating the same wallets.
Researchers from MyCrypto, which provides an open-source tool for cryptocurrency and blockchain users, compared the code hosted on Github and WalletGenerator.net and found some striking differences. Sometime between August 17 and August 25 of last year, the WalletGenerator.net code was changed to alter the way it produced the random numbers that are crucial for private keys to be secure.