Bitcoin web wallet addresses generated with a flawed library are exposed to brute-force attacks
16.4.2018 securityaffairs Cryptocurrency
Multiple vulnerabilities in the SecureRandom() function expose Bitcoin web wallet addresses generated by the flawed library to brute-force attacks.
Old Bitcoin web wallet addresses generated in the browser or through JavaScript-based wallet apps might be affected by a cryptographic vulnerability that could be exploited b attackers to steal funds.
According to the experts, the popular JavaScript SecureRandom() library isn’t securely random, this means that an attacker can launch brute-force attacks on private keys.
The flaw affects the JavaScript SecureRandom() function that is used for generating a random Bitcoin address and its adjacent private key, currently, it doesn’t actually.
“It will generate cryptographic keys that, despite their length, have less than 48 bits of entropy, […] so its output will have no more than 48 bits of entropy even if its seed has more than that,” said the system administrator David Gerard.
“SecureRandom() then runs the number it gets through the obsolete RC4 algorithm, which is known to be more predictable than it should be, i.e. less bits of entropy,” Gerard added. “Thus, your key is more predictable.”
Gerard concluded that all Bitcoin addresses generated using the SecureRandom() function are vulnerable to brute-force attacks.
“The conclusion seems to be that at least all wallets generated by js tools inside browsers since bitcoin exists until 2011 are impacted by the Math.random weakness if applicable to the related implementations, the Math.random or RC4 (Chrome) weakness between 2011 and 2013, and RC4 weakness for Chrome users until end of 2015” continues Gerard.
Gerard explained that several web-based or client-side wallet apps used the SecureRandom() function, the expert said that all Bitcoin addresses possibly affected are:
BitAddress pre-2013;
bitcoinjs before 2014;
current software that uses old repos they found on Github.
A user has thrown the same alert on the Linux Foundation mailing list:
“A significant number of past and current cryptocurrency products contain a JavaScript class named SecureRandom(), containing both entropy collection and a PRNG. The entropy collection and the RNG itself are both deficient to the degree that key material can be recovered by a third party with medium complexity.” reads the alert.
The researcher Mustafa Al-Bassam added that several old implementations for web and client-side Bitcoin wallets apps leveraged the jsbn.js cryptographic library for generating Bitcoin addresses. Unfortunately, the jsbn.js cryptographic library used the SecureRandom() function, this means that Bitcoin address private keys were exposed to attack.
“The original disclosure didn’t contain any information about the library in question, so I did some digging.” added Mustafa.
“I think that the vulnerability disclosure is referring to a pre-2013 version of jsbn, a JavaScript crypto library. Before it used the CSRNG in the Web Crypto API, it tried to use nsIDOMCrypto, but incorrectly did a string comparison when checking the browser version.”
If you are using a Bitcoin wallet address generated with tools using the flawed functions you need to generate new Bitcoin address and transfer the funds to the new one.