The digital cryptocurrency paper wallet creator website, WalletGenerator.net, has been discovered to use a code that caused a private key and public key pair to be issued to multiple users at once. This vulnerability was discovered and described in an official blog post written by security researcher Harry Denley on May 24, 2019. Denley is a blogger on cyber security for the MyCrypto service.
According to the blog written by Denley, the problematic code was first in use in August 2018. It was only recently discovered and corrected on May 23. The code that is live on the website is supposed to be open-source. GitHub users are reportedly auditing it, but there were some differences found between the two services. After Denley researched the actual live code, he concluded that the private and public keys were generated on the live version of the site, and they were not generated in a random manner.
In the tests Denley performed between May 18 and May 23, MyCrypto attempted to use the WalletGenerator's bulk generator to make 1,000 keys. When the GitHub was used to do it, 1,000 unique keys were made. However, the live code generated only 120 different keys. Using the bulk generator always returned just 120 unique keys even when other factors were adjusted. This included VPN, user and browser changes.
Randomization is needed in order to generate the key pairings for security. Turning a random number in the private key and making it public caused the results to be the same when the first number was a "5."
The WalletGenerator patch was made only after MyCrypto's staff reached out. The WalletGenerator administrators responded with a statement that the allegations could not be verified. Their administrators even accused MyCrypto of being a phishing website.
The MyCrypto staff suggested that anyone who generated key pairs between August 17 and May 23 remove their funds. The funds should be put in a different wallet. They recommended not using WalletGenerator.net. These recommendations are based on a past situation in which a blockchain bandit took off with 45,000 ether simply by guessing private keys.