Cryptocurrency ArticlesOld JavaScript bug is still a security threat to cryptos

Old JavaScript bug is still a security threat to cryptos

By Alex Vet
Get Airdrops and CryptoboxesGet Free Airdrops and Crypto boxesGet The Latest Cryptocurrency News First - Join Us In GoogleNewsRead us in Google NewsGet The Latest Cryptocurrency News First - Join Us In TelegramGet The Latest Cryptocurrency News First - Join Us In GoogleNews Join WhatsApp channel

JavaScript class SecureRandom() has a bug in it and doesn’t generate really secure keys.

How is it related to cryptocurrencies?

There are numerous browser-based cryptocurrency products that still use popular SecureRandom() JS class. JavaScript is very popular for creating browser-based products but isn’t a really good thing to use for cryptography purposes. The main problem is that JS is not a type-safe language.

Type safety is a complex topic and there’s no one agreed definition of what exactly a “type-safe” language is, but by almost any definition of it, JavaScript is not type-safe. It means that JS doesn’t really discourage or prevent type errors that are impermissible in cryptography.

The conclusion is, all crypto wallets generated by JS tools inside browsers had (and some – still have!) keys that are predictable enough to crack by brute-force attack. Yes, such keys have the proper length (cryptography-wise) but less than 48 bits of entropy due to the bug in JavaScript class.

Deep technical explanation.

What to do now?

Actually, it’s not much to do about it. Like all good cryptocurrency bugs, this one isn’t new at all — here’s Greg Maxwell talking about it nearly three years ago (51:00 on):

This problem affects you if you:

  • use old cryptocurrency addresses
  • they were generated with JavaScript, i.e., in a web browser

Possibly affected:

  • BitAddress pre-2013;
  • bitcoinjs before 2014;
  • current software that uses outdated repos from Github.

What to do:

  • move your funds out of those addresses
  • don’t use them again

This will reduce the risk of your keys being cracked but, in general, this information should make you stop thinking that it will take ages for modern crypto keys to get cracked. It turns out, that it might be cracked in a week.

 

Some interesting facts:

JavaScript was originally called LiveScript. It wasn’t developed by Sun Microsystems (as Java) and there was no good reason to rename LiveScript to JavaScript. This led to confusion that JavaScript is somehow related to Java, but JavaScript is a different language, it has more in common with functional languages like Lisp or Scheme than with Java.

JavaScript is an actual high-level, interpreted programming language, not the script, as the -Script suffix suggests.

Get Airdrops and CryptoboxesGet Free Airdrops and Crypto boxesGet The Latest Cryptocurrency News First - Join Us In GoogleNewsRead us in Google NewsGet The Latest Cryptocurrency News First - Join Us In TelegramGet The Latest Cryptocurrency News First - Join Us In GoogleNews Join WhatsApp channel
Previous article
GPUs And ASICs – A Never Ending Battle For Mining Supremacy
Next article
Bytecoin – Oldest Privacy-Focused Crypto Coin

Join us

13,690FansLike
1,625FollowersFollow
5,652FollowersFollow
2,178FollowersFollow
- Advertisement -

Coinatory is a news portal dedicated to providing the latest updates on cryptocurrency, blockchain, and mining. Our mission is to keep readers informed about the most significant and exciting developments in the crypto world, including updates on new coins as they emerge. We offer a comprehensive coverage of the technical details behind recent and upcoming changes and events in the cryptocurrency industry, enabling our readers to stay up-to-date with the latest trends and insights.

Disclaimer

At Coinatory, we stay at the forefront of modern trends by leveraging various AI tools for content creation, marketing, and other purposes. While these tools help us enhance our services and provide valuable insights, it is important to note that the information and content generated by AI may not always be perfect or fully accurate. We strive to ensure the highest quality and accuracy in all our offerings, but we recommend that users independently verify information and seek professional advice when necessary. Coinatory is not liable for any inaccuracies or errors resulting from the use of AI-generated content. By using our website, you agree to these terms and acknowledge the role of AI in our operations.