MyCrypto security researcher Harry Denley has discovered that the online paper wallet creator WalletGenerator.net has been running a code that caused it to provide the same private/public key pairs to multiple users.
The vulnerability, revealed on May 24 by the researcher, has been affecting the platform since August 2018 and was only removed on May 23.
The code used by the platform to generate keys for paper wallets was open source code audited by GitHub.The code stored in GitHub and the one used by the platform for generating crypto wallets were identical at first, so it served for its original purpose: to generate unique public and private keys for users to store their crypto assets.
However, the code run by WalletGenerator.net became slightly different at some point, making it generate the same pair of keys for different users, with the severe security problems this entails.
In one of the MyCrypto tests carried out on May 18-23, researchers attempted to use the website generator to generate 1,000 keys. The original GitHub version of the code returned 1,000 unique keys, however, the code run on the site only returned 120 unique keys.
Subscribe to our Telegram channel to stay up to date on the latest crypto and blockchain news.