Crypto recovery firm Unciphered disclosed vulnerabilities that impact millions of BitcoinJS-based wallets created between 2011 and 2015.
Posted November 15, 2023 at 1:35 am EST.
Crypto recovery firm Unciphered published their research on a vulnerability affecting browser-based cryptocurrency wallets.
In a blog post on Tuesday, the firm said the vulnerability, which it dubs “Randstorm,” stems from the SecureRandom() function found in the JBSN javascript library and weaknesses in browser implementations of the Math.random() function.
🚨 Big news from us at @uncipheredLLC: We’ve publicly disclosed vulnerabilities in BitcoinJS-based wallets generated between 2011 and 2016.
The coordinated disclosure has gone smoothly so far. Vendors have notified over a million wallet holders! (please migrate your crypto from… https://t.co/Qon9s1IPBe
— Nick Bax.eth (@bax1337) November 14, 2023
This particular library was utillized by BitcoinJS wallets that were in use between 2011 and 2015, but Unciphered noted that it was difficult to pinpoint the exact time frame.
‘We can confirm that this vulnerability is exploitable, however, the amount of work necessary to exploit wallets varies significantly and, in general, considerably increases over time,” said researchers at the firm.
“That is to say, as a rule, impacted wallets generated in 2014 are substantially more difficult to attack than impacted wallets generated in 2012.”
Based on these estimates, the number of wallets at risk are in the millions, and the value at risk at over $1 billion. Unciphered said it is in the process of coordinating disclosures to the relevant parties to alert affected users to shift funds to a new wallet.
The firm claims to have discovered the vulnerability when trying to recover funds for a customer that was locked out of a Blockchain.com. However, the researchers said they have refrained from sharing more information related to it as they would run the risk of giving bad actors the ammo to carry out an attack.
“Bad guys are no doubt already at work trying to create their own proof of concept so they can recreate and implement the attack we found. But we’re hoping that controlling some of the details will make it hard for them and give the honest owners a head start,” said the researchers.