Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🔥 💀 [ Critical ] bx seed generates insecure seed phrases for bx 3.x #726

Closed
DanielJoyce opened this issue Aug 8, 2023 · 6 comments
Closed

🔥 💀 [ Critical ] bx seed generates insecure seed phrases for bx 3.x #726

DanielJoyce opened this issue Aug 8, 2023 · 6 comments

Comments

@DanielJoyce
Copy link

DanielJoyce commented Aug 8, 2023
edited
Loading

https://milksad.info/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39910

TL;DR;

bx seed command for bx 3.x uses Mersenne Twister limited to 32 bits of entropy, leading to brute-forceable seed phrases for wallets. Generate a new wallet ( using a more secure tool, LOL ), and transfer funds ASAP.
@DanielJoyce DanielJoyce changed the title 🔥 💀 [ Critical ] bx seed generates insecure seed phrases for bx 3.x 🔥 💀 [ Critical ] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39910 bx seed generates insecure seed phrases for bx 3.x Aug 8, 2023
@DanielJoyce DanielJoyce changed the title 🔥 💀 [ Critical ] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39910 bx seed generates insecure seed phrases for bx 3.x 🔥 💀 [ Critical ] bx seed generates insecure seed phrases for bx 3.x Aug 8, 2023
@evoskuil
Copy link
Member

evoskuil commented Aug 9, 2023

RTFM

@evoskuil evoskuil closed this as completed Aug 9, 2023
@0x15
Copy link

0x15 commented Aug 9, 2023

i rtfm'd, now what bitcoinbook/bitcoinbook@76c5ba8#diff-7a291d80bf434822f6a737f3e564be6a67432e2f3f12669cf0469aedf56849bbR99

@evoskuil
Copy link
Member

evoskuil commented Aug 9, 2023
edited
Loading

You’re in the wrong repo, that is neither the bx documentation nor a Libbitcoin repo. https://github.com/libbitcoin/libbitcoin-explorer/wiki

@0x15
Copy link

0x15 commented Aug 9, 2023

somebody should tell whoever wrote that that he lost people a million bucks then

@evoskuil
Copy link
Member

evoskuil commented Aug 9, 2023

People are responsible for their own security, and of course - to RTFM.

@evoskuil
Copy link
Member

evoskuil commented Aug 9, 2023

The command works as documented and intended. The book is dated, the commit is around 8 years old. Maybe make a PR into the book repo and discuss with its author.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@DanielJoyce @evoskuil @0x15