Bitcoin Forum
June 13, 2021, 06:10:24 PM *
News: Latest Bitcoin Core release: 0.21.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2]  All
  Print  
Author Topic: Vulnerability discovered on bitcoinpaperwallet[.]com - DO NOT USE IT  (Read 434 times)
bitcoinVPSD
Full Member
***
Offline Offline

Activity: 446
Merit: 101



View Profile
May 09, 2021, 09:04:37 PM
 #21

I wouldn't trust a VanitySearch site that isn't made by me or WhyFy.

The issue is more about who creates the site rather than what is used to create it.
It will be difficult for me to know who I can trust. Just a small search, I can get many search results related to Vanity Search. Most of them are open source on Github. I can't even tell which one is safe or not. It is possible to scan the file before installing, but there might still be vulnerabilities like this subject, right?

1623607824
Hero Member
*
Offline Offline

Posts: 1623607824

View Profile Personal Message (Offline)

Ignore
1623607824
Reply with quote  #2

1623607824
Report to moderator
1623607824
Hero Member
*
Offline Offline

Posts: 1623607824

View Profile Personal Message (Offline)

Ignore
1623607824
Reply with quote  #2

1623607824
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1623607824
Hero Member
*
Offline Offline

Posts: 1623607824

View Profile Personal Message (Offline)

Ignore
1623607824
Reply with quote  #2

1623607824
Report to moderator
Timelord2067
Legendary
*
Offline Offline

Activity: 2604
Merit: 1651


Witty! £ $ ₹ € ¥ ¢ ≠ ÷ ™


View Profile WWW
May 09, 2021, 10:23:55 PM
 #22

I wouldn't trust a VanitySearch site that isn't made by me or WhyFy.

The issue is more about who creates the site rather than what is used to create it.

Unless of course you were provided with a Part Private Key in which case there is no chance of interference.  I have rolled a handful of vanity wallets for others using this method via @LoyceV's thread - it was for me to gain some experience at doing such things (and I always ensured LoyceV was paid as it was their thread).

If a website were to take your part private key then there wouldn't be any issue surrounding any website going rogue.

.freebitcoin.¦       ___¦¯¯¦¦___
   __¦¦¦¦¦¦__¦  ¦¯¯¦__
  ¦¦¦  ¦¯¯¦¦¦¦¦¦¦__¦¦¯
   ¯¯¯¦¦__¦  ¦¦¦¦¯¯  _¦¦
_¦¦¦__  ¯¯¯¯¯¯¯  __¦¦¦¦¦¦
¦¦¯¯¦¦¦¦¦_     _¦¦¯¦ ¯¯¦¦
¦¦__¦¦¦¯¯¦¦   ¦¦¦¯ __  ¯¦
¦¦¦¦¦¦¦__¦¦¦ ¦¦¦__ ¯¯_  ¦
¦¦¯¯¦¦¦¦¦¦¦¦ ¦¦¦¦¦  ¦¯_¦¦
 ¦__¦¦¦¦¦¦¦¦ ¦¦¦¦¦   ¦¦¦
  ¯¦¦¦¦  ¦¦¦ ¦¦¦¦__¦¦¦¯
     ¯¯¦¦¦¦   ¦¦¦¦¯¯
BITCOIN
DICE
EVENT
BETTING
¦WIN A LAMBO !

.
            __________¦¦¦¦¦¦¦¦¦¦¦_____
______¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦____
¯¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦____
__¦¦¦¦¦_¦¦¦¦¦_¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦_¦¦¦¦¦_¦¦¦¦__
¯¦¦¦¦¦¦¦¦¯¯¯¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¯¯¯¦¦¦¦¦¦¦¦¦¦_
  ¯¯¯¦¦¦¦___¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦___¦¦¦¦¦¦¦¦¦¦
       ¯¦¦¦¦¦¯  ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯  ¯¦¦¦¦¦¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
.PLAY NOW.
libert19
Sr. Member
****
Offline Offline

Activity: 1428
Merit: 280


First 100% Liquid Stablecoin Backed by Gold


View Profile WWW
May 10, 2021, 03:03:12 AM
 #23

Nice finding but I still don't catch the reason why people easily accept wallet generator from third-party while they can do that with Bitcoin Core or Electrum (creating wallet offline). After that, print or write private keys or mnemonic seeds on paper. It is safer and not too hard to do.

What are the chances that thing mentioned in op can happen with wallets you mentioned as well?

pooya87
Legendary
*
Offline Offline

Activity: 2380
Merit: 3907


Remember tonight for it's the beginning of forever


View Profile
May 10, 2021, 04:11:52 AM
 #24

I wouldn't trust a VanitySearch site that isn't made by me or WhyFy.

The issue is more about who creates the site rather than what is used to create it.
It will be difficult for me to know who I can trust. Just a small search, I can get many search results related to Vanity Search. Most of them are open source on Github. I can't even tell which one is safe or not. It is possible to scan the file before installing, but there might still be vulnerabilities like this subject, right?
I can tell you who not to trust.
You should never trust a website, even if it is popular. For example you should never trust bitaddress.org website even though it is a popular project. Because it is a website and you can't tell what really is happening when you generate a key there.
You should also never trust a Vanity address creator that generates the key on their own. There is nothing stopping them from saving the key. There was ways to make this safe by just giving them a public key and they work from there but there are some complications involved.
And finally being open source and on Github doesn't mean they are safe. Being that and popular to have their code reviewed by others makes them safe.

NotATether
Hero Member
*****
Online Online

Activity: 546
Merit: 1569


Cryptographic Crawler


View Profile WWW
May 10, 2021, 11:14:56 AM
 #25

I wouldn't trust a VanitySearch site that isn't made by me or WhyFy.

The issue is more about who creates the site rather than what is used to create it.

Unless of course you were provided with a Part Private Key in which case there is no chance of interference.  I have rolled a handful of vanity wallets for others using this method via @LoyceV's thread - it was for me to gain some experience at doing such things (and I always ensured LoyceV was paid as it was their thread).

If a website were to take your part private key then there wouldn't be any issue surrounding any website going rogue.

Except how many people know how to split the private key in the first place? Or know that there is actually no splitting involved but you're just taking two random PKs and combining them together?

Most of the procedures people use to generate a split vanity address involves such voodoo as generating a random PK somewhere and then combining them on bitaddress.org.

There is one post that does explain what Bitaddress is doing, and I wrote it, but it has yet to be featured in anyone's software.

Timelord2067
Legendary
*
Offline Offline

Activity: 2604
Merit: 1651


Witty! £ $ ₹ € ¥ ¢ ≠ ÷ ™


View Profile WWW
May 11, 2021, 12:58:49 AM
 #26

Except how many people know how to split the private key in the first place? Or know that there is actually no splitting involved but you're just taking two random PKs and combining them together?

Most of the procedures people use to generate a split vanity address involves such voodoo as generating a random PK somewhere and then combining them on bitaddress.org.

There is one post that does explain what Bitaddress is doing, and I wrote it, but it has yet to be featured in anyone's software.

Not quite.

What I'm talking about is taking the other person's part private key and generating a vanity wallet address - the result is imported by the sender (the result) into their own wallet.  No-one else can import the found result into their own wallet.  AFAIA no-one has found a vulnerability with this method and it was, or still is, being used and can be found in the various vanity wallet generating threads around the Forum.

.freebitcoin.¦       ___¦¯¯¦¦___
   __¦¦¦¦¦¦__¦  ¦¯¯¦__
  ¦¦¦  ¦¯¯¦¦¦¦¦¦¦__¦¦¯
   ¯¯¯¦¦__¦  ¦¦¦¦¯¯  _¦¦
_¦¦¦__  ¯¯¯¯¯¯¯  __¦¦¦¦¦¦
¦¦¯¯¦¦¦¦¦_     _¦¦¯¦ ¯¯¦¦
¦¦__¦¦¦¯¯¦¦   ¦¦¦¯ __  ¯¦
¦¦¦¦¦¦¦__¦¦¦ ¦¦¦__ ¯¯_  ¦
¦¦¯¯¦¦¦¦¦¦¦¦ ¦¦¦¦¦  ¦¯_¦¦
 ¦__¦¦¦¦¦¦¦¦ ¦¦¦¦¦   ¦¦¦
  ¯¦¦¦¦  ¦¦¦ ¦¦¦¦__¦¦¦¯
     ¯¯¦¦¦¦   ¦¦¦¦¯¯
BITCOIN
DICE
EVENT
BETTING
¦WIN A LAMBO !

.
            __________¦¦¦¦¦¦¦¦¦¦¦_____
______¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦____
¯¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦____
__¦¦¦¦¦_¦¦¦¦¦_¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦_¦¦¦¦¦_¦¦¦¦__
¯¦¦¦¦¦¦¦¦¯¯¯¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¯¯¯¦¦¦¦¦¦¦¦¦¦_
  ¯¯¯¦¦¦¦___¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦___¦¦¦¦¦¦¦¦¦¦
       ¯¦¦¦¦¦¯  ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯  ¯¦¦¦¦¦¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
.PLAY NOW.
pooya87
Legendary
*
Offline Offline

Activity: 2380
Merit: 3907


Remember tonight for it's the beginning of forever


View Profile
May 11, 2021, 03:56:08 AM
 #27

What I'm talking about is taking the other person's part private key and generating a vanity wallet address
Don't you mean public key?
I can't see any reason why the other party needs "private" key, partial or not. They only need the public key and then they can move from there by incrementing that point one G at a time until they find the correct public key that generates the desired address. Then all they have to do is to send back the number of times they added G to that point. User can simply add that value to their private key and get the new private key which corresponds to the public key of the vanity address.

Timelord2067
Legendary
*
Offline Offline

Activity: 2604
Merit: 1651


Witty! £ $ ₹ € ¥ ¢ ≠ ÷ ™


View Profile WWW
May 11, 2021, 07:52:59 AM
 #28

What I'm talking about is taking the other person's part private key and generating a vanity wallet address
Don't you mean public key?

No.

Part private key is what I said.  Feel free to read up on the subject then we can pick up this conversation where I'm now going to leave it off (until you read up on the subject that is).

I can't see any reason why the other party needs "private" key, partial or not. They only need the public key and then they can move from there by incrementing that point one G at a time until they find the correct public key that generates the desired address. Then all they have to do is to send back the number of times they added G to that point. User can simply add that value to their private key and get the new private key which corresponds to the public key of the vanity address.

It doesn't work like that - as I said, I encourage you to read up on the subject.

.freebitcoin.¦       ___¦¯¯¦¦___
   __¦¦¦¦¦¦__¦  ¦¯¯¦__
  ¦¦¦  ¦¯¯¦¦¦¦¦¦¦__¦¦¯
   ¯¯¯¦¦__¦  ¦¦¦¦¯¯  _¦¦
_¦¦¦__  ¯¯¯¯¯¯¯  __¦¦¦¦¦¦
¦¦¯¯¦¦¦¦¦_     _¦¦¯¦ ¯¯¦¦
¦¦__¦¦¦¯¯¦¦   ¦¦¦¯ __  ¯¦
¦¦¦¦¦¦¦__¦¦¦ ¦¦¦__ ¯¯_  ¦
¦¦¯¯¦¦¦¦¦¦¦¦ ¦¦¦¦¦  ¦¯_¦¦
 ¦__¦¦¦¦¦¦¦¦ ¦¦¦¦¦   ¦¦¦
  ¯¦¦¦¦  ¦¦¦ ¦¦¦¦__¦¦¦¯
     ¯¯¦¦¦¦   ¦¦¦¦¯¯
BITCOIN
DICE
EVENT
BETTING
¦WIN A LAMBO !

.
            __________¦¦¦¦¦¦¦¦¦¦¦_____
______¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦____
¯¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦____
__¦¦¦¦¦_¦¦¦¦¦_¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦_¦¦¦¦¦_¦¦¦¦__
¯¦¦¦¦¦¦¦¦¯¯¯¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¯¯¯¦¦¦¦¦¦¦¦¦¦_
  ¯¯¯¦¦¦¦___¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦___¦¦¦¦¦¦¦¦¦¦
       ¯¦¦¦¦¦¯  ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯  ¯¦¦¦¦¦¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
.PLAY NOW.
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!