The US-based cybersecurity firm Unciphered has issued a global warning to Bitcoin users regarding a major threat that may put billions of BTC at risk. Early adopters of cryptocurrencies and participants in various blockchain platforms between 2011 and 2015 may be affected by this vulnerability.
BitcoinJS Package Vulnerability
Over the past 22 months, Unciphered has been investigating a vulnerability that affected BitcoinJS, a popular package used for generating crypto wallets in browsers. This vulnerability has resulted in the creation of a significant number of compromised wallets throughout the years.
In January 2022, Unciphered discovered this flaw when assisting a customer who was unable to access their Blockchain.com (previously Blockchain.info) bitcoin wallet. Experts have been warning about this issue since 2018, according to Unciphered’s website. The vulnerability has been dubbed Randstorm due to the non-random nature of the affected wallets.
Unciphered has intentionally limited the release of specific details regarding the exploitation of this vulnerability. This approach aims to provide users with time to secure their funds and minimize the risk of additional information falling into the hands of malicious actors who are already exploiting the vulnerability.
Impact and Mitigation
While the underlying mathematical principles of bitcoin and blockchain remain secure, the vulnerability stems from programming errors that are prevalent across multiple technologies. The version of the software utilized is of particular significance.
Wallets created on Blockchain.info before March 2012, as well as wallets generated using the open-source version of BitcoinJS before critical updates in March 2014, are at higher risk. BitcoinJS was widely adopted by various projects in the early 2010s.
The extent of the impact varies depending on factors such as the duration of vulnerable code usage, additional security measures implemented, and the size of the user base at the time. The vulnerability has been confirmed as exploitable, but the level of effort required to exploit wallets increases over time. Wallets generated in 2012 are more susceptible compared to those generated in 2014.
Unciphered has disclosed this vulnerability to multiple organizations, including Blockchain.com, Bitgo, Block.io, Dogechain.info, Bitpay, Blockstream Green, Bitaddress.org, Coinkite, and BitcoinJS. It is important to note that this issue potentially extends beyond BTC wallets and may also affect wallets of various altcoins.
To determine whether their wallets are vulnerable, users can visit www.keybleed.com. Time is of the essence, as users may only have a few hours or days to safeguard their funds.