The vulnerability stems from an obsolete function in BitcoinJS, a tool for building Bitcoin-related applications.
The issue was magnified due to a concurrent weakness in pseudo-random number generators in major browsers. This combination led to the generation of crypto wallet keys that were insufficiently random, making them vulnerable to brute-force attacks.
Several projects using BitcoinJS, like QuickCoin, BrainWallet and CoinPunk, are now defunct. However, active services, including Blockchain.com, Blocktrail and Bitgo, still use the vulnerable function, affecting millions of wallets.
"We have been coordinating disclosure with multiple entities and, as a result, millions of users have been alerted," Unciphered reported in a blog post. "In the event that it is possible an individual has assets held in an affected wallet, they should be moved to a newly generated wallet created with trusted software."
The flaw, now known as "Randstorm," was accidentally discovered by Unciphered in January 2022 while attempting to recover a Bitcoin wallet created in 2014 on Blockchain.info. Although the password recovery attempt failed, it led to the uncovering of this critical vulnerability.
This issue wasn't entirely unknown. In 2018, a security researcher named "ketamine" reported vulnerabilities in the SecureRandom() function of BitcoinJS, cautioning that insufficient randomization could put many crypto products at risk.
Extent of the Vulnerability
Researchers found that keys generated with the affected BitcoinJS often used significantly less entropy than required, making wallets created before March 2012 particularly vulnerable. While those created between 2012 and 2015 were more secure, they still remain at risk.
"Bitcoin private keys should be generated with 256-bits of entropy; unfortunately, affected keys generated with vulnerable BitcoinJS (or dependent projects) often used less entropy than required," the Unciphered blog post elaborated.
Moving Forward: Recommendations for Wallet Security