Is it dangerous to load other people's wallet files in the Bitcoin client?

[walletrecovery]

Of course I understand everything that you write, but you write about your assumptions.
We assume that the source of the wallet program is only one.
If there were options for different wallet programs, then there would not be this topic.
I am talking only about one source of origin for a client program.
How difficult it is to explain something through a Google translator, but without it I could not explain anything at all.

Since walletrecovery seemed quite sketchy to me, i did 5 minutes of research.
It turned out that he is an alt of percenter who has negative trust ratings and a valid flag open against him.
Check this post for more information.
I advise anyone to not deal with this user in any way.

Then you are also paranoid or God forbid the madman.
I’m very scared for you, I worry about your health, sir!

2 Accounts connected:
walletrecovery and percenter

percenter - This person no longer works for us,
I bought part of his video cards and he left.
We do not know his fate and we are not interested.
I have a couple more employees, one of them writes an algorithm for hashcat, and the other searches for clients and sends letters.

If you are interested in delving into the old shit, these are your problems.
Now you are chatting with me and answering my questions.
If you are not competent, then do not be shy
you are not the smartest person on the planet and there is nothing wrong with that.

[walletrecovery]

I advise anyone to not deal with this user in any way.
[/quote]

You write that we cannot be trusted, that we cannot be dealt with.
You are wrong and you must apologize because you do not know the truth.
The truth is that we do not receive "wallet.dat" files from our customers.
We can find the password, give this password to the client, and the client may not pay us anything!
Only we can become a victim of fraud and deception, and our client never.
Do not write nonsense here, you have a lot of stars and you should be smarter than any other member of the forum.

[HCP]

The truth is that we do not receive "wallet.dat" files from our customers.

I should hope not... the clients should be sending you a "hash" extracted from their wallet.dat file which you can then try and bruteforce using hashcat etc.


But you are now claiming that you don't get wallets, but in the very first post in this thread, you said:

Wallets are sent to us to check the availability of private keys inside,
so we can confirm whether this wallet is real or not, but we are worried about our wallets.

So which is correct?


In any case, the original answer you got from ranochingo is still valid:

Whilst there is currently no known vulnerabilities that allows for code execution within the wallet.dat file, I wouldn't trust it too much.

There is no known exploit that will do "Bad Things"™ to your computer if you load a foreign wallet.dat into Bitcoin Core. However, this does not mean that it doesn't exist. "Absence of evidence is not evidence of absence".

So, it would be prudent to take adequate precautions.

Personally, I would just create a simple VM that contains the OS and Bitcoin Core... then take a backup/snapshot of that "clean" install... every time you need to load a new wallet.dat, simply create a new instance copied from your "clean" backup and then try and load the wallet.dat and/or dump it with PyWallet.

If all you're doing is attempting to load/inspect a wallet.dat, you don't even need the block data!

[pooya87]

it seems to me that you are asking this question for your "recovery service" in which case it makes no sense to "load the wallet in the bitcoin client" because while doing recovery or brute forcing password all you need to do is to work with the content of the wallet file and that happens in your own program that is separate and different from the client that wallet file belonged to.
in which case it is up to you to know how to handle the file and make sure there is nothing malicious in it. you should ask this question from the developer who create the program that you are supposedly using to "recover wallets".

otherwise i don't see any reason why you should even have other people's wallet files in first place.

[walletrecovery]

1) "I should hope not... the clients should be sending you a "hash" extracted from their wallet.dat file which you can then try and bruteforce using hashcat etc."

- And what next? Suppose we were sent a wallet "hash" (for Hashcat software) or "mkey" (for Thegrideon software), we found a password, and then what?
How can we harm a client if we don’t have his wallet? Why are you writing nonsense? Ask Dave, there were his answers to this question longtime ago!


2) "But you are now claiming that you don't get wallets, but in the very first post in this thread, you said:
Quote from: walletrecovery on April 18, 2020, 12:58:33 PM
Wallets are sent to us to check the availability of private keys inside,
so we can confirm whether this wallet is real or not, but we are worried about our wallets."

- Yes, you are absolutely right this is our additional service for those who want to buy a wallet from a private person and be sure that they will not be deceived and they will not sell an empty wallet.
In Russia, there are very few clients who have forgotten the password, they are not there or they have ended. Therefore, we came up with an additional service, while it is completely free.
There are many scammers on the Russian forum who sell "wallet.dat" files, so we opened the topic https://bitcointalk.org/index.php?topic=5240546.0 to guarantee a clean deal.
Only in this case we get wallets from people, usually wallets that no one can open for a long time and they are sold everywhere by everyone, for example, on this site allprivatekeys dot com
In principle, we can’t harm the client in any way, we can only harm scammers who, because of us, cannot sell air to gullible people,
therefore these scammers complain about us to the moderator and, as you can see, we have a -1 point in the trust.

it seems to me that you are asking this question for your "recovery service" in which case it makes no sense to "load the wallet in the bitcoin client" because while doing recovery or brute forcing password all you need to do is to work with the content of the wallet file and that happens in your own program that is separate and different from the client that wallet file belonged to.
in which case it is up to you to know how to handle the file and make sure there is nothing malicious in it. you should ask this question from the developer who create the program that you are supposedly using to "recover wallets".

otherwise i don't see any reason why you should even have other people's wallet files in first place.

THANK YOU

If there were options for different wallet programs, then there would not be this topic.

But you can open and create wallet.dat from different program such as Bitcoin Knots and fork of Bitcoin Core (usually for altcoin though)

THANK YOU

Check this post for more information.

"percenter"

We have nothing to do with this account, the person was fired last month.

[HCP]

Why are you writing nonsense?

I'm sorry, but I'm really confused. You keep making contradicting statements... and then you call valid responses to your comments "nonsense".

You said "we get wallet.dats"... people say, you should take precautions "just in case"... and you should only be using the "hash" extract... you say "yes, we don't get wallets and with hash we can't hurt customer, don't write nonsense"??!?

Then you, in the same post, say "actually, we DO get wallet.dats... and we want to check them."

I'm not sure if it is just a language barrier and/or bad translations somewhere, but it seems to me you are just talking around in circles and confusing good advice with people insulting you.


Summary:

- If you are receiving and inspecting wallet.dat's, common sense would dictate that you should do so in a "sandboxed" environment (ie. stand alone, non-network workstation or VM etc)
- If you are just trying to brute force passwords, you should only be receiving the "hash" from the client, and not their wallet.dat
- All those "HUGE REWARD!" wallet.dat's being sold are scams

[walletrecovery]

Why are you writing nonsense?

I'm sorry, but I'm really confused. You keep making contradicting statements... and then you call valid responses to your comments "nonsense".

You said "we get wallet.dats"... people say, you should take precautions "just in case"... and you should only be using the "hash" extract... you say "yes, we don't get wallets and with hash we can't hurt customer, don't write nonsense"??!?

Then you, in the same post, say "actually, we DO get wallet.dats... and we want to check them."

I'm not sure if it is just a language barrier and/or bad translations somewhere, but it seems to me you are just talking around in circles and confusing good advice with people insulting you.


Summary:

- If you are receiving and inspecting wallet.dat's, common sense would dictate that you should do so in a "sandboxed" environment (ie. stand alone, non-network workstation or VM etc)
- If you are just trying to brute force passwords, you should only be receiving the "hash" from the client, and not their wallet.dat
- All those "HUGE REWARD!" wallet.dat's being sold are scams

1) we do not deceive anyone and cannot do this by definition, we do not receive wallets from those customers who are the owners of their wallets.
2) there are other customers who are not the owners of the wallets, but they sell them and very often these are fake wallets or empty ones.
3) so we invited everyone to buy such wallets to contact us first, so that the seller sends us a wallet for research.
4) I did not initially clarify this point, that we have two types of customers, so the people who gave me the answer did not know about this and got confused, sorry.
5) we don’t understand why we have a negative rating, because we didn’t deceive anyone, why do we have -2 points of trust?
6) we have many video cards, but they are without work, so we have to look for ways to make money, although the main thing that we are interested in doing is working with a client who knows at least something about the password that he forgot. But we do not have such clients, there is one, but there it is a very difficult task and it is not yet possible to find a password.
7) if someone has the opportunity to make “0” in the trust, it would be wonderful, because we did nothing wrong with anyone.