In a recent report, cybersecurity experts at Unciphered have exposed a new exploit called Randstorm, which poses a threat to Bitcoin wallets created between 2011 and 2015. This exploit allows for the potential recovery of passwords, leading to unauthorized access to a substantial number of wallets across various blockchain platforms.
A Look into the Randstorm Exploit
Randstorm is described by Unciphered as a term coined to represent a combination of bugs, design decisions, and API changes that, when interacting, significantly diminish the quality of random numbers produced by web browsers during the specified era (2011-2015). The vulnerability is estimated to impact approximately 1.4 million bitcoins stored in wallets generated with potentially weak cryptographic keys. Concerned users can check the vulnerability of their wallets at www.keybleed[.]com.
The genesis of this vulnerability was rediscovered by the cryptocurrency recovery company in January 2022 while assisting an unnamed customer locked out of their Blockchain.com wallet. Although initially flagged by security researcher “ketamine” in 2018, the issue resurfaced, shedding light on the enduring risks associated with early Bitcoin wallets.
BitcoinJS at the Heart of the Issue
The vulnerability is traced back to the use of BitcoinJS, an open-source JavaScript package utilized for developing browser-based cryptocurrency wallet applications. Randstorm specifically exploits the package’s dependence on the SecureRandom() function in the JSBN javascript library, coupled with cryptographic weaknesses in the web browsers’ implementation of the Math.random() function prevalent during the 2011-2015 period. Notably, BitcoinJS maintainers discontinued the use of JSBN in March 2014.
The lack of sufficient entropy resulting from these vulnerabilities opens the door to potential brute-force attacks, allowing malicious actors to recover wallet private keys generated with the BitcoinJS library or its dependent projects. Wallets created before March 2012 are particularly susceptible, highlighting the urgency for users to assess the security of their assets.
This discovery underscores the critical importance of scrutinizing open-source dependencies that power software infrastructure. Vulnerabilities in foundational libraries, as demonstrated in the case of Apache Log4j in late 2021, can have far-reaching consequences, posing significant supply chain risks. It’s worth noting that the flaw in wallets created with this software persists unless funds are transferred to a new wallet created with updated software, emphasizing the need for users to stay vigilant and take proactive steps to secure their digital assets.