This article is more than 1 year old

When SecureRandom()... isn't: JavaScript fingered for poking cash-spilling holes in Bitcoin wallets

If you've got an old money store, check it for hacked gaps

Concerns about a flawed crypto library that could allow Bitcoin theft have been revived following a post to a Bitcoin mailing list last week.

David Gerard, a UK-based Unix admin and blockchain technology watcher, raised concerns in a blog post on Thursday.

"The popular JavaScript SecureRandom() library … isn’t securely random," he wrote, pointing to an anonymous post to a Bitcoin mailing list a week ago that revisited the issue.

The post attributes the shortcomings of the code to JavaScript's lack of type safety. A bug causes the code to fail to utilize the browser's window.crypto API and to fall back on the cryptographically inadequate Math.random() API.

Via Twitter and on the mailing list, Mustafa Al-Bassam, a doctoral researcher in computer science at University College London, said that the problem lies with a pre-2013 version of jsbn, a JavaScript crypto library.

This particular crypto flaw has been publicly known since at least 2013. And Bitcoin Core developer Greg Maxwell discussed the issue during a 2015 presentation.

The perils of fallback

In response to the dustup, Filippo Valsorda, a cryptographer working for Google, advised against implementing any kind of fallback when generating keys.

Matthew Green, an assistant professor of computer science at Johns Hopkins and cryptography expert, in a phone call with The Register concurred. "Fallback is always kind of lousy idea," he said.

Green explained that problem with the code might extend not just to older wallet apps utilizing weak key generation but to Bitcoin addresses generated at the time.

"If you generated your Bitcoin address using this code, you could potentially have crackable, predictable keys that could be exploited to steal money," he said.

Green said it can be difficult to tell how browsers and apps generate keys because it's not always apparent and there's significant variation.


Disgraced US Secret Service agent coughs to second Bitcoin heist


Google's Chrome browser was affected by the issue until 2015.

The result of the subpar random number generation, Gerard says, is that crypto keys generated using this code are predictable enough to crack through brute force, in perhaps a week.

Gerard in his post declares "most web wallets" for storing cryptocurrency are affected by this flaw but doesn't name any specific ones. But, if we're lucky, it may be rather fewer than that.

In an email to The Register, he clarified while he doubts anything developed recently is vulnerable, apps using keys generated back then may be.

What's at risk?

Asked for examples, he said possibly affected digital wallets include Bitaddress (pre-2013), Bitcoinjs (pre-2014), and anything using older GitHub repos that implement SecureRandom().

Bitcoin contributor Dave Harding expressed skepticism about the motives of the person who revived the issue on the Bitcoin mailing list, pointing to the individual's rather dubious choice of remailers and the inclusion of a Bitcoin address in the message, presumably to solicit donations.

"So, although the issue is legit (but ancient), I myself suspect this person was just out to stir up a little drama or money," he said in an email to The Register.

As it happens, the price of Bitcoin surged on Thursday.

Harding acknowledged that some Bitcoin private keys generated in web browsers years ago are not as secure as they could be.

"Likely the least secure keys have already been compromised and the users' funds stolen; some other keys may have been secure enough at the time but can still be compromised in the future," he said.

He advised those with concerns to contact their wallet vendor and noted maintains a list of digital wallets without known security issues. ®

More about


Send us news

Other stories you might like