Walletgenerator has been a go-to website for many who want to create an easy-to-generate paper wallet. However, recent research by Mycrypto shows that the Walletgenerator code might be malicious, resulting in the issuance of the same private key to multiple users.
In a Medium article Mycrypto researcher Harry deep dives into the situation.
The vulnerability: Website code not validated
The code which is being served via the WalletGenerator.net URL did not match the code on GitHub. The code served to WalletGenerator.net is intended to be open-source and audited, however, it seems like the website has been using a code which is not validated.
By running a diff function between the GitHub code and the server code an XHR request is being performed to grab the coin image. This step is strange as the coin image is already downloaded by the browser when the HTML page is loaded—there should be no need to request it again. Instead of taking inputs from the user’s browser/interactions the system has been taking inputs from an image or server.
In simple layman’s terms, it means that though the user moves his mouse around the screen the random data is never used to seed the key generation.
As per Mycrypto, this situation started on August 17, 2018. Anyone who has created a wallet from this time has a risk of being affected by the vulnerability.
When Mycrypto tried generating keys in bulk, to generate 1,000 keys, at various times between May 18, 2019 — May 23, 2019, only 120 unique keys per session were available. Refreshing browser, switching VPN locations, or having a different party perform the same test would result in a different set of 120 keys being generated.
How exactly the image is manipulated server-side and when the malicious image is served remains unknown. Mycrypto suspects some steganography is happening to make the image visually identical but having different bytes to each user.
WalletGenerator.net ‘s position
WalletGenerator responded by stating that they were unable to verify the claims and asked if Mycrypto was perhaps on a phishing website.
Sometime between the time of investigation (May 22, 2019), and the time Mycrypto received an email response from the current site owner (May 23, 2019), the code being served to the site was modified to remove the previously-added, malicious code.
We always suggest using your own hardware wallet. Do not depend on online third parties to store your crypto. Move all your crypto from Walletgenerator addresses immediately irrespective of foul play or not.