Concerns about possible theft from Bitcoin Wallets increase due to JavaScript

Cyberattack is one of the crimes that are haunting every sector. Cryptocurrency is no exception to this given the kind of rapid growth it has seen in the last two years through the market is struggling to hold its nerves. However, that does not deter the cyberattackers to steal bitcoins from the wallets. As the sector is growing so are the concerns also. This time, more than the cybercriminals, it is the JavaScript SecureRandom library that is viewed with suspicion. The issue was brought back to the frontline.

Concerns Raised

A blockchain technology watcher and a British-based administrator of UNIX, David Gerald, voiced his concerns by pointing out an anonymous post to a mailing list of Bitcoin. This happened a week back. In his blog post, he believes that the famous JavaScrip SecureRandom() library is not a secured one. His contention was that there were shortcomings to the code of JavaScript citing the safety of type, reported. He believes that a bug could lead the code to fail to use the window.crypto API of the browser and reverse on the cryptographically insufficient Math.random() API.

In a mailing list and through the Twitter social media, a researcher of University College London disclosed that the issue is not a new one and exists with the jsbn version released before or in the year 2013. This is a JavaScript code used for the crypto library. This specific flaw has been in existence since at least the year 2013 and was known publicly.

During a presentation in 2015, developer of Bitcoin Core, Greg Maxwell, engaged in discussing this issue. He was advised by Google’s cryptographer, Filippo Valsorda, against in executing any kind of fallback during the time of generating keys. Another cryptography expert and an assistant professor of computer science, Matthew Green, termed the fallback as not a good idea. He pointed out that the issue was not with the extension of code in relation to older wallet apps that uses weak key generation but also in respect of addresses generated at the time.

Green stated that “If you generated your Bitcoin address using this code, you could potentially have crackable, predictable keys that could be exploited to steal money.” He thinks that it is not possible to guide browsers and apps how to generate keys since it is not clear and there was also considerable variation.

Subpar Result

As a result, Alphabet’s Google Chrome browser faced the issue until the year 2015. Gerard thinks that the subpar result of random number generation could be predictable probably in a week to crack through brute force. In his post, the Unix Administrator pointed out that most web wallets are facing the issue due to this flaw without naming any particular ones.

However, he believes that it would be a lucky one if there are only a few instances of loss of money from the wallet. On the other hand, Dave Harding, a Bitcoin contributor, expressed his doubts on the motive of Gerard, who brought back the issue. He thinks that there was nothing new in the fresh concerns except remailers’ choice and bitcoin address inclusion in his latest message.

Article written by Prateek Kulhari


Prateek is a business editor who writes about various topics such as technology, health and finance. At Pressly, he works along with the colourful folks that build a nation through tech startups. He is also a professional football player and video games enthusiast.