In line with a recent official ‘web-blog post‘ published by security researcher named ‘Harry Denley’ of MyCrypto, renowned online ‘crypto‘ paper wallet creator named ‘WalletGenerator.net’ recently ran on code that caused private key/public key pairs to be issued to several multiple users.
As per the post, this code error was ran by August 2018, and was solely recently patched out as of 23rd May. The live code on the web-site is reportedly speculated to be open source and audited on ‘GitHub‘, however there were variations detected between the two. When researching the live code, Denley revealed that the keys were deterministically generated on the live version of the web-site, not randomly.
Among MyCrypto’s tests ran between May 18 to 23, they tried to use the website’s bulk generator to generate about 1,000 keys. The ‘GitHub‘ version returned 1,000 unique keys, but the live code returned only 120 unique keys. Running the bulk generator always reportedly returned solely 120 unique keys rather than 1,000 even when alternative factors were tweaked, together with browser refreshes, VPN changes, or user changes.
Randomness is the vital necessity to generate the key pairings so as for the paper wallets to be secure. The post further adds as:
“ELI5: When generating a key, you take a super-random number range, flip it into the private key, and then switch that into the public key / address. However, if the ‘super-random’ number range is always ‘5,’ the private key that’s generated will always be the same. This is why its so important that the super-random number range is actually random…not ‘5.’”
WalletGenerator patched the determinism issue after MyCrypto reached out via in the middle of its investigation. WalletGenerator supposedly responded later stating that the allegations couldn’t be verified, and even asked the correspondent if MyCrypto was a “phishing web-site.”
MyCrypto added that users who generated keypairs after 17th August last year, should immediately transfer their funds to a different wallet and suggested not to use WalletGenerator.net.