Crypto wallet seeds crackable with gaming PC via this security flaw
Hackers have reportedly exploited a weakness in popular crypto wallet tool Libbitcoin Explorer that has allowed them to steal funds from multiple blockchains.
According to software security expert Distrust, which led the investigation, the ‘Milk Sad’ issue (so named because those were the first two words in the seed phrase of the broken key generation process), suffers from a “flawed seed subcommand for the generation of new wallet private key entropy.” As a result, it produces insecure output.
“Think of this as securing your online bank account with a password manager that creates a long random password, but it often creates the same passwords for every user. Malicious people have figured this out and drained funds on any account they can find,” investigators say.
Distrust warns that the effective security is reduced to a point where a powerful gaming PC can brute-force the seeds in less than one day.
Researchers didn’t confirm exactly which wallets had been affected by the Libbitcoin issue or how much crypto may have been stolen but it’s believed that the exploit took place “in the wild” in June and July this year.
Arcadia Finance says exploiter contacted after $450K hack
Trust Wallet suffered a similar exploit
Popular crypto wallet Trust Wallet lost nearly $170,000 in user funds when it suffered a similar exploit late last year.
1/10 Trust Wallet is built on security & trust. So we’re sharing a vulnerability affecting new addresses created Nov 14-23,22 using the Browser Extension.
The issue is fixed. Most at-risk funds are secured. Affected users should take actions outlined:
— Trust Wallet (@TrustWallet) April 22, 2023
The issue, which was discovered via a bug bounty, affected the wallet’s open-source library Wallet Core. It specifically targeted new addresses between November 14 and 23 by browser extension.
Back in April, the company told affected customers to create new wallets and move funds.
Got a tip? Send us an email or ProtonMail. For more informed news, follow us on Twitter, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.