- Aug 17, 2014
Cryptocurrency wallets generated between 2011 and 2015 are vulnerable to an attack that allows threat actors to use brute-force methods to recover passwords for accessing funds. Researchers at Unciphered estimate that millions of wallets — with potentially hundreds of millions of dollars in them — remain vulnerable to attack.
Several of the projects that used the vulnerable BitcoinJS library — including BrainWallet, CoinPunk, and QuickCoin — are no longer around. But several others such as Blockchain.com, Bitgo, Dogechain.info, and Blocktrail, are still active.
Unciphered's effort to recover the password failed. But in the process of finding a way to retrieve it, researchers at the company discovered the BitcoinJS vulnerability, which they have since dubbed "Randstorm." In the 22 months since the discovery, the researchers have been working with Blockchain.com and others that incorporated the vulnerable BitcoinJS function to notify affected users about the threat.
"We have been coordinating disclosure with multiple entities and, as a result, millions of users have been alerted," Unciphered said in a blog post this week. "In the event that it is possible an individual has assets held in an affected wallet, they should be moved to a newly generated wallet created with trusted software," the company noted.