According to MyCrypto, Online cryptocurrency paper wallet generator, WalletGenerator.net earlier operated on a code that led to private key/public key pairs to be handed out to multiple users. The vulnerability was elaborated in an official post by a security researcher, Harry Denley, of MyCrypto on 24th May.
According to the blog post by Harry, the code was recently patched out as of 23rd May. The live code on the respective website is reportedly expected to be an open source and supervised on Github. However, there were differences that were noted between the two. Denley came to the conclusion that the keys were deterministically generated on the live mode of the website, but not randomly. He made the finding after researching the live code.
Amongst one of his Mycrypto’s tests which took place between 18-23 May, they tried to operate the website’s bulk generator in order to create 1000 keys. The live code returned 120 keys but the Github version gave back 1000 unique keys. Operating the bulk generator normally returned 120 unique keys. This is contrary to the expected 1000 even when the conditions were tweaked inclusive of browser refreshes, user changes or VPN changes.
Randomness is required to generate the key pairings. It is to ensure that the paper wallets are secured. WalletGenerator patched the determinism issue after MyCrypto responded during the middle of its investigations. WalletGenerator purportedly reached out afterward remarking that the allegations could not be justified. Moreover, they even asked the correspondent if MyCrypto was viewed as a “phishing website.”
MyCrypto went on saying that the users who generated keypairs after 17th August 2018, should without wasting time transfer their funds to a distinct wallet. It even recommended that they do not use WalletGenerator.net.