New Wallet Vulnerability Leads to $900K Theft from Bitcoin Users … – Crypto News Flash

0

Libbitcoin, a Bitcoin wallet implementation used by developers and validators to create crypto accounts, has been compromised according to blockchain security firm SlowMist. Investigation into the vulnerability of the Libbitcoin Explorer 3.x library disclosed that more than $900,000 has so far been stolen from Bitcoin users. Users of other cryptos including Ethereum, Dogecoin, Ripple, Solana, Bitcoin Cash, Litecoin, and Zcash who use Libbitcoin for their accounts are reportedly not safe and are advised to transfer all funds to secure wallets.
We strongly advise all users utilizing the Libbitcoin Explorer 3.x versions to immediately cease using the affected wallets and transfer funds to secure wallets. Be sure to use a verified, secure random number generation method to generate new wallets.
The blockchain security firm explains that the vulnerability stems from the implementation of the pseudo-random number generator (PRNG) in the Libbitcoin Explorer 3.x versions. Upon assessment, it was observed that implementation used the Mersenne Twister algorithm as well as utilizing 32 bits of system time as seed. This means threat actors would need just a few days to brute force the private keys of users. 
Libbitcoin is currently used by Airbitz (mobile wallet), Cancoin (decentralized exchanges), Blockchain Commons (decentralized wallet Identity), etc. However, none of these were specified to be affected by the vulnerability. 
In a report found on the CVE cybersecurity vulnerability database, the Libbitcoin Explorer was said to have a faulty key generation mechanism. This makes it easier for threat actors to guess private keys. According to SlowMist, hackers made away with 9.7441 BTC ($278,318) in one attack. The initial action was to contact exchanges to prevent the attacker from withdrawing the funds. 
A Distrust team which had four members and eight freelancers was said to have discovered the vulnerability. According to them, a loophole is created whenever a user executes the “bx seed” command to generate a wallet seed. The command in most cases generates the same seed for multiple persons. In other words, it lacks sufficient randomness. The whole discovery was said to have begun when a Libbitcoin user contacted them about the mysterious disappearance of his Bitcoin on July 21. The user earlier reached out to other Libbitcoin users for explanations on why his wallet is empty without a trace, only to find out that “he was not alone.”
Following these concerns, reporters reached out to Libbitcoin Institute member Eric Voskuil for a comment. Interestingly, he clarified that the “bx seed” is not meant to be used in production wallets. Rather, it is intended as “a convenience for when the tool is used to demonstrate behavior that requires entropy.” He further stated that if people used it for production key seeding, then the warning is not sufficient. For now, they intend to make changes in a few days by either removing the command altogether or strengthening the warning against production use. 
Follow us for the latest crypto news!
Wallet vulnerabilities have contributed to millions of dollars lost on various exchanges. In June, the hack of Atomic Wallet saw hackers stealing about $100 million. Most of these are linked to negligence. Cybersecurity certification platform CER recently disclosed that only 6 out of 45 wallet brands used penetration testing to uncover vulnerabilities. 
 
 
John’s a cryptocurrency and blockchain writer and researcher with years of experience. He has a lot of interest in emerging startups, tokens, and the invisible forces of demand and supply. He holds a Bachelor’s degree in Geography and Economics.
Comments are closed.
Crypto News Flash
Crypto News Flash is your number one source for the latest news and information from the world of cryptocurrencies.
About us
Contact us
Legals
Data protection policy
*= Affiliate-Link
Risk warning and disclaimer: The contents of this website are intended solely for the entertainment and information of readers and do not provide investment advice or a recommendation within the context of the Securities Trading Act. The content of this website solely reflects the subjective and personal opinion of the authors. Readers are requested to form their own opinions on the contents of this website and to seek professional and independent advice before making concrete investment decisions. The information found on this site does not contain any information or messages, but is intended solely for information and personal use. None of the information shown constitutes an offer to buy or sell futures contracts, securities, options, CFDs, other derivatives or cryptocurrencies. Any opinions provided, including e-mails, live chat, SMS or other forms of communication across social media networks do not constitute a suitable basis for an investment decision. You alone bear the risk for your investment decisions. Read more!

source

Leave a Reply

Your email address will not be published. Required fields are marked *