Security researchers are warning that old Bitcoin addresses generated in the browser or through JavaScript-based wallet apps might be affected by a cryptographic flaw that allows attackers to brute-force private keys, take control of users' wallets, and steal funds.

The vulnerability resides in the use of the JavaScript SecureRandom() function for generating a random Bitcoin address and its adjacent private key (equivalent of a password).

SecureRandom() isn’t really random

The problem is that this function doesn't actually generate true random data, as an anonymous user recently pointed out on the Linux Foundation mailing list, along with David Gerard, a UK-based Unix system administrator.

"It will generate cryptographic keys that, despite their length, have less than 48 bits of entropy, [...] so its output will have no more than 48 bits of entropy even if its seed has more than that," said Gerard.

"SecureRandom() then runs the number it gets through the obsolete RC4 algorithm, which is known to be more predictable than it should be, i.e. less bits of entropy," Gerard added. "Thus, your key is more predictable."

The conclusion is that all Bitcoin addresses generated using the SecureRandom() function are vulnerable to brute-force attacks that may guess the account's private key.

Users advised to move funds to new addresses

Gerard discovered that some web-based or client-side wallet apps used the SecureRandom() function, but eventually fixed the issue after it became public for the first time via a BitcoinTalk forum post in 2013, and later in a conference talk in 2015.

Gerard says that all Bitcoin addresses generated using the BitAddress client-side wallet pre-2013 and Bitcoinjs pre-2014 are affected.

Furthermore, according to Mustafa Al-Bassam, a PhD researcher at the Department of Computer Science at University College London, many old —web and client-side— Bitcoin wallet apps have used the jsbn.js cryptographic library for generating Bitcoin addresses. A pre-2013 version of this library used the SecureRandom() function.

Wallet apps using those older versions of jsbn.js are still generating crackable Bitcoin address private keys. According to Gerard, cracking such a key would generally take around a week.

Bitcoin users who generated Bitcoin addresses using affected tools are advised to generate new Bitcoin addresses with a new tool and move funds from old accounts to the new ones.