If you have used a private key generated on WalletGenerator.net after August 17, 2018, move your funds immediately to a secure address.

TL;DR

Who is affected: Anyone who has put funds in a public / private key generated via WalletGenerator.net after August 17, 2018.

Anyone who has put funds in a public / private key generated via WalletGenerator.net after August 17, 2018. When: August 17, 2018 — ???. While the malicious behavior is not presently found as of May 24, 2019, it could be reintroduced at any point.

August 17, 2018 — ???. While the malicious behavior is not presently found as of May 24, 2019, it could be reintroduced at any point. What happened: There were changes to the code being served via WalletGenerator.net that resulted in duplicate keypairs being provided to users. These generated keypairs were also potentially stored server-side.

There were changes to the code being served via WalletGenerator.net that resulted in duplicate keypairs being provided to users. These generated keypairs were also potentially stored server-side. What you should do if you are affected: Securely create a new keypair / wallet and move your funds to that new, secure address. Some folks have recommended using bitaddress (offline) via https://github.com/pointbiz/bitaddress.org.

Obviously, don’t use these public / private keys.

Preface

We were able to contact the current owner of the site prior to publishing this post and outlined some of our findings in the hopes they would secure the server and help with the investigation. They responded by stating that they were unable to verify our claims and asking if we were perhaps on a phishing website.

Sometime between the time we were last investigating and testing (the evening of May 22, 2019) and the time we received an email response from the current site owner (midday, May 23, 2019), the code being served to the site was modified to remove the previously-added, malicious, code.

In this strange turn of events, we still have no idea whether the current site owner is the malicious party, if the server is insecure, or both.

We’re still considering this highly suspect and still recommending users who generated public / private keypairs after August 17, 2018, to move their funds. We do not recommend using WalletGenerator.net moving forward, even if the code at this very moment is not vulnerable.

The Long Version

Paper wallet interfaces are a super useful and convenient tool for users to easily generate a private / public keypair though, historically, these interfaces have been susceptible to vulnerabilities in the RNG / key derivation due to malicious or ignorant behavior conducted internally by the site owners or externally by bad actors. If the random number generator is compromised in any way, it can result (and has resulted) in guessable secrets which can, in turn, result in user funds being stolen.

This is what has happened with WalletGenerator.net.

Details of the Compromise

WalletGenerator is a website that generates paper wallets for a handful of different cryptocurrencies. The code served to WalletGenerator.net is intended to be open-source and audited, and (supposedly) matches the code here: https://github.com/walletgeneratornet/WalletGenerator.net.

This project changed ownership approximately two years ago. It was recently brought to our attention that the code being served via the WalletGenerator.net URL did not match the code on GitHub.

At this time, the code on GitHub is not malicious nor vulnerable, nor has it been malicious or vulnerable previously.

It is unclear at this time if the new owner is responsible for these code changes or if the server has been compromised by an external party.

The Code Changes

We investigated the differences by running a diff between the GitHub code and the server code and noticed (among other things) that an XHR request is being performed to grab the coin image. This is strange because the coin image is already downloaded by your browser when you load the HTML page—there should be no need to request it again.

Network capture of the XHR request for bitcoin.png

We looked at the code to see why it’s sending an XHR request, and what we found was bizarre. It’s using the image data to seed the random number generator function.