Changing one of the last 4 characters in a private key may result in a validation by the wifIsValid() function. This happens in steem-js but not in steem-python (can't import an invalid key with steempy addkey).
Tested with different accounts. Some keys are showing this behavior, while others aren't.
The modified keys are also able to broadcast transactions.
Using the latest steem-js v0.7.1
Here's a snippet to verify the combinations for a given key pair.
String.prototype.replaceAt = function (index, replacement) {
return this.substr(0, index) + replacement + this.substr(index + replacement.length);
};
// account and password example that illustrate the problem
var account = "testuser123"; // edit this
var password = "P5JvGvqo8NWhnaEhqHNsd69g7TbiFy1WcZQ5HNq8qxvaVU1bXzmX"; // edit this
var steem = require('steem');
var base58chars = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
var keys = steem.auth.getPrivateKeys(account, password, ['owner', 'active', 'posting', 'memo']);
//console.log(keys);
testKeys(keys.owner, keys.ownerPubkey, "owner");
testKeys(keys.active, keys.activePubkey, "active");
testKeys(keys.posting, keys.postingPubkey, "posting");
testKeys(keys.memo, keys.memoPubkey, "memo");
function testKeys(privatekey, publickey, keytype) {
var validcount = 0;
for (var testpos = 0; testpos <= privatekey.length; testpos++) {
for (var i = 0; i < base58chars.length; i++) {
var newchar = base58chars.slice(i, i + 1);
var modifiedprivatekey = privatekey.replaceAt(testpos - 1, newchar);
try {
if (steem.auth.wifIsValid(modifiedprivatekey, publickey)) {
if (privatekey !== modifiedprivatekey) {
var slice1 = privatekey.slice(0, testpos - 1);
var slice2 = privatekey.slice(testpos - 1, privatekey.length - 1);
console.log(slice1 + "\x1b[36m" + newchar + "\x1b[0m" + slice2, "VALID");
validcount++;
}
}
} catch (e) {
//console.log(e);
//console.log(modifiedwif, newchar, "INVALID");
}
}
}
console.log("\x1b[32m" + privatekey, "ORIGINAL", keytype, "\x1b[0m");
console.log("Found", validcount, "valid variations on the original", keytype, "key", "\r\n");
validcount = 0;
}
Changing one of the last 4 characters in a private key may result in a validation by the wifIsValid() function. This happens in steem-js but not in steem-python (can't import an invalid key with
steempy addkey
).Tested with different accounts. Some keys are showing this behavior, while others aren't.
The modified keys are also able to broadcast transactions.
Using the latest steem-js v0.7.1
Here's a snippet to verify the combinations for a given key pair.