🔥 💀 [ Critical ] bx seed generates insecure seed phrases for bx 3.x

libbitcoin / libbitcoin-explorer

Bitcoin Command Line Tool

Other

598 stars 175 forks source link

🔥 💀 [ Critical ] bx seed generates insecure seed phrases for bx 3.x #726

Closed DanielJoyce closed 11 months ago

DanielJoyce commented 11 months ago

https://milksad.info/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39910

TL;DR;

bx seed command for bx 3.x uses Mersenne Twister limited to 32 bits of entropy, leading to brute-forceable seed phrases for wallets. Generate a new wallet ( using a more secure tool, LOL ), and transfer funds ASAP.

evoskuil commented 11 months ago

RTFM

0x15 commented 11 months ago

i rtfm'd, now what https://github.com/bitcoinbook/bitcoinbook/commit/76c5ba8000d6de20b4adaf802329b501a5d5d1db#diff-7a291d80bf434822f6a737f3e564be6a67432e2f3f12669cf0469aedf56849bbR99

evoskuil commented 11 months ago

You’re in the wrong repo, that is neither the bx documentation nor a Libbitcoin repo. https://github.com/libbitcoin/libbitcoin-explorer/wiki

0x15 commented 11 months ago

somebody should tell whoever wrote that that he lost people a million bucks then

evoskuil commented 11 months ago

People are responsible for their own security, and of course - to RTFM.

evoskuil commented 11 months ago

The command works as documented and intended. The book is dated, the commit is around 8 years old. Maybe make a PR into the book repo and discuss with its author.