A user on Pastebin has claimed to discover evidence that some Bitcoin wallet software are able to generate keys which can easily be hacked after another person on Reddit posted about how they lost 9 BTC due to a transaction error on the Blockchain.info wallet service.
The user who posted on Pastebin did not reveal specific wallet software that may be affected and whether or not the vulnerability is intentional or a coding error. The user claimed that several users of the Blockchain.info platform already know of the vulnerability after testing the chain by sending small amounts of Bitcoins to the addresses of the private keys generated by the malicious software.
The Pastebin user explained, “If you peer into the Blockchain, you will find that people have ‘played’ with the chain by sending small amounts of Bitcoins to addresses corresponding to private keys generated using Sha256… It’s quite obvious these were _meant_ to be found. It turns out there are a lot of these addresses. (Keep looking and you will easily find some.) This is nothing new and has been known to the Bitcoin community for a while.”
How it was discovered
The user said he used several pieces of publicly available data on the Blockchain to see if they may have been used to create wallets. Utilizing block hashes for every block since the Genesis Block, Merkle roots from every block, common words and phrases hashed for a number of times, he eventually started testing all the addresses.
The user also downloaded a complete list of Bitcoin addresses listed publicly on Blockchain. He then started to discover keys which could have had some bits associated with them – and in his experiments, he has discovered more than 40 Bitcoin addresses which have been used at some points over the past seven years by November 2017 to send Bitcoin.
A third-party wallet custodial service-like gambing site, a mining pool, or web wallet, the user suspects, could have malicious code in their backend which has the ability to generate private keys based on public addresses.
Meanwhile, the Blockchain.info user confirmed that the missing funds have been returned.
“The nine BTC have been returned, the person found my Reddit post & reached out to me this morning. He wants to remain anonymous however he has found an issue with Blockchain.info and is currently working with them to resolve the issue.”