Crypto cybersecurity firm Unciphered has unearthed a decade-old crypto wallet bug affecting browser-based wallets generated between 2011 and 2015.
加密網路安全公司 Unciphered 發現了一個存在十年之久的加密錢包漏洞,該漏洞影響了 2011 年至 2015 年間生成的基於瀏覽器的錢包。
The bug may allow nefarious actors to steal up to $2.1 billion from wallets on various networks, including Bitcoin (BTC), Dogecoin (DOGE), Litecoin (LTC), and Zcash (ZEC).
該漏洞可能允許不法分子從各種網路的錢包中竊取高達 21 億美元,包括比特幣 (BTC)、狗狗幣 (DOGE)、萊特幣 (LTC) 和 Zcash (ZEC)。
Discovering An Ancient Bug
發現一種古老的蟲子
In an interview with the Wall Street Journal, the Unciphered team explained that they’d accidentally discovered the bug during a failed attempt to recover an early investor’s $600,000 in lost Bitcoin (BTC).
在接受《華爾街日報》採訪時,Unciphered 團隊解釋說,他們在試圖追回早期投資者丟失的 60 萬美元比特幣 (BTC) 的過程中意外發現了該漏洞。
The entrepreneur, Nick Sullivan, created his Bitcoin wallet back in 2014 using the website Blockchain.info (since renamed to Blockchain.com). Later, he accidentally lost access to his coins after wiping his computer’s memory without remembering to record his wallet’s private key.
企業家尼克·沙利文 (Nick Sullivan) 早在 2014 年就使用 Blockchain.info 網站(現已更名為 Blockchain.com)創建了自己的比特幣錢包。後來,他在擦除電腦記憶體而忘記記錄錢包私鑰的情況下,意外地失去了對他的硬幣的存取權。
At Sullivan’s request, Unciphered began searching for Sullivan’s coins in January 2022. Though they ultimately lacked enough information to get them back, they realized in the process that Blockchain.info’s code for creating random wallet keys – BitcoinJS – did not make all of its wallets random enough.
應沙利文的要求,Unciphered 於2022 年1 月開始搜尋沙利文的代幣。儘管他們最終缺乏足夠的資訊來找回這些代幣,但他們在過程中意識到,Blockchain.info 用於創建隨機錢包密鑰的代碼– BitcoinJS – 並沒有製作其所有錢包足夠隨機。
“BitcoinJS is terribly broken up till March 2014,” said Unciphered co-founder Eric Michaud. “Anyone directly using it is on the very high end of risk to attack.”
Unciphered 聯合創始人 Eric Michaud 表示:“直到 2014 年 3 月,BitcoinJS 才徹底崩潰。” “任何直接使用它的人都面臨著極高的攻擊風險。”
Another wallet site, Dogecoin.info, also used BitcoinJS, leaving many old Dogecoin users exposed to the same vulnerability.
另一個錢包網站 Dogecoin.info 也使用了 BitcoinJS,導致許多狗狗幣老用戶面臨同樣的漏洞。
Unciphered claims that wallets made before March 2012 contain $100 million in assets that could easily be hacked by a home computer user. Another $50 billion is held in wallets created between then and 2015, of which at least $500 million is vulnerable.
未加密的說法稱,2012 年 3 月之前製作的錢包包含 1 億美元的資產,這些資產很容易被家庭電腦用戶駭客攻擊。從當時到 2015 年創建的錢包中還有 500 億美元,其中至少 5 億美元是脆弱的。
Cryptographers discovered flaws in wallet generation randomness back in 2014, and improved their methods since. Unciphered said it hadn’t discovered any wallets generated after 2016 suffering from weak randomness.
密碼學家早在 2014 年就發現了錢包生成隨機性的缺陷,並從那時起改進了他們的方法。 Unciphered 表示,尚未發現 2016 年後產生的任何錢包隨機性較弱。
How to Tell Victims?
如何告訴受害者?
Unciphered came public with the vulnerability this week, but has been quietly warning affected users that their assets are at risk for months.
Unciphered 本周公開了該漏洞,但幾個月來一直悄悄警告受影響的用戶,他們的資產面臨風險。
The challenge was convincing millions of victims to move their funds without revealing the vulnerability to thieves who would otherwise leverage it to steal coins.
面臨的挑戰是說服數以百萬計的受害者轉移資金,同時又不向竊賊透露漏洞,否則竊賊會利用這些資金來竊取代幣。
Unciphered ultimately decided to go to the biggest site responsible for generating such wallets that might be in a position to discretely notify affected users. That site ended up being the one Sullivan used – Blockchain.com.
Unciphered 最終決定訪問負責產生此類錢包的最大網站,該網站可能能夠單獨通知受影響的用戶。該網站最終成為沙利文使用的網站——Blockchain.com。
The site sent out emails to holders of over 1.1 million affected wallets and found a way to automatically update the wallets of anyone who visited its site.
該網站向超過 110 萬個受影響錢包的持有者發送了電子郵件,並找到了一種方法來自動更新訪問其網站的任何人的錢包。
“In crypto, you need to be pretty skeptical of people who call with something that sounds dramatic, because there are so many scammers,” Blockchain.com President Lane Kasselman said regarding Unciphered’s warning. “It was unclear who they were and what the scope of it was.”
Blockchain.com 總裁 Lane Kasselman 在談到 Unciphered 的警告時表示:“在加密貨幣領域,你需要對那些打電話說一些聽起來很戲劇性的事情的人保持懷疑,因為詐騙者太多了。” “目前尚不清楚他們是誰以及其範圍是什麼。”
Many affected users still haven’t been warned directly since the sites they used to create their wallets are now out of business.
許多受影響的用戶仍未收到直接警告,因為他們用來創建錢包的網站現已關閉。
The post Old Crypto Wallet Bug Puts $2.1 Billion At Risk: Unciphered appeared first on CryptoPotato.
舊加密貨幣錢包漏洞將 21 億美元置於危險之中:未加密的貼文首先出現在 CryptoPotato 上。