Vulnerability in JavaScript Function May Mean Long-term Bitcoin Holders are at Risk

A group of researchers released a warning on the security dangers of old bitcoin addresses that were generated via JavaScript-based wallet applications.

According to the researchers, hackers can take advantage of an old JavaScript cryptographic flaw to steal bitcoin stored in such addresses. Using brute-force hacking, the private keys of such addresses can be obtained by cybercriminals and take ownership of the wallets and the bitcoins stored in them.

Insufficient Entropy in the JavaScript SecureRandom() Function

The flaw revolves around the JavaScript SecureRandom() function which can be used to generate bitcoin addresses and private keys. A bitcoin address is an alphanumeric code that begins with a ‘1’ or ‘3,’ and it specifies the destination of a bitcoin payment. It is similar to an email address. The private key is like a password, and it bears a mathematical relationship with a bitcoin address.

According to an anonymous contributor on the Linux Foundation mailing list, the JavaScript SecureRandom() function isn’t truly random, despite the name. This assertion was also made by David Gerard, a Unix system expert based in the UK and has become a topic of discussion on many online cryptocurrency message boards.

The general consensus that the JavaScript SecureRandom() function isn’t genuinely random is based on the low entropy level of the cryptographic keys that it generates. Entropy refers to the degree of randomness of a system, the higher the entropy, the more difficult it is for brute-force hacking to be successful.

According to Gerard, the function generates cryptographic keys that are less than 48 bits of entropy regardless of the entropy level of the seed. The JavaScript function then runs the alphanumeric key through the obsolete RC4 algorithm which is generally considered to be predictable. The predictability makes the private key vulnerable to brute-force hacking.


Mais do que uma solução tecnológica, somos uma decisão estratégica para as organizações.

Nossa missão é redefinir a relação das empresas com a cibersegurança e a experiência dos usuários no processo de autenticação e acesso a ativos tecnológicos.