Crypto recovery firm Unciphered published their research on a vulnerability affecting browser-based cryptocurrency wallets.
🚨 Big news from us at @uncipheredLLC: We've publicly disclosed vulnerabilities in BitcoinJS-based wallets generated between 2011 and 2016.
The coordinated disclosure has gone smoothly so far. Vendors have notified over a million wallet holders! (please migrate your crypto from… https://t.co/Qon9s1IPBe
— Nick Bax.eth (@bax1337) November 14, 2023
This particular library was utilized by BitcoinJS wallets that were in use between 2011 and 2015, but Unciphered noted that it was difficult to pinpoint the exact time frame.
‘We can confirm that this vulnerability is exploitable, however, the amount of work necessary to exploit wallets varies significantly and, in general, considerably increases over time,” said researchers at the firm.
“That is to say, as a rule, impacted wallets generated in 2014 are substantially more difficult to attack than impacted wallets generated in 2012.”
Based on these estimates, the number of wallets at risk is in the millions, and the value at risk is over $1 billion. Unciphered said it is in the process of coordinating disclosures to the relevant parties to alert affected users to shift funds to a new wallet.
The firm claims to have discovered the vulnerability when trying to recover funds for a customer who was locked out of Blockchain.com. However, the researchers said they have refrained from sharing more information related to it as they would run the risk of giving bad actors the ammo to carry out an attack.
“Bad guys are no doubt already at work trying to create their own proof of concept so they can recreate and implement the attack we found. But we’re hoping that controlling some of the details will make it hard for them and give the honest owners a head start,” said the researchers.