Security researchers find to be using malicious code

27 May, 2019
by David Borman
Security researchers find to be using malicious code

Recently MyCrypto posted a security disclosure on their Medium blog. It seems that has been updated with code that does not output unique wallet keys, but rather is generating them deterministically, meaning that malicious parties could know exactly what the private keys to users' wallets are. MyCrypto suggests users cease using the site moving forward.

According to the posting, any addresses generated after August 17th of 2018 are considered compromised and funds should be moved immediately. After this date the code on the site was modified with the new, vulnerable code. The code is taken originally from github and the source from there is still safe to use. It seems someone intentionally modified the code, making it exceedingly likely this is no mistake.

The new code does not actually take random input data to generate unique keys, but instead seems to use predetermined images as seed data, meaning the wallets generated can easily be re-generated by anyone who knows what image was used, presumably the site owner or a hacker.

When MyCrypto reached out to the owners of the site, they seemed to not know what the researchers were talking about and implied they had accessed a phishing site by mistake. Then, less than a day later, the code was changed back to the original, safe code. No explanation was ever given.

The researchers admit it is unclear if the owners of the site are the shady actors or if the site was somehow compromised by a third party. Due to the lack of any transparency from the owners, MyCrypto is heavily recommending that users stay away, even though the code has, for now, been returned to normal.

From the post:

"We’re still considering this highly suspect and still recommending users who generated public / private keypairs after August 17, 2018, to move their funds. We do not recommend using moving forward, even if the code at this very moment is not vulnerable."

There are a variety of other wallet generators available, and users should alsways do their own homework to make sure their chosen software is safe and works as intended. Stick right here with Chepicap for all updates!

Altseason COMING, but NOT YET... This is what we need to see first! Subscribe to the Chepicap YouTube Channel for more videos!

Follow Chepicap now on Twitter, YouTubeTelegram and Facebook!

Chepicap is now LIVE in Blockfolio! This is how you receive our latest news in your portfolio tracker!  

Read more about: Bitcoin (BTC)


Have you ever used this site?

(3 votes)

Add a comment

Check out the latest news

You will be logged out and redirected to the homepage