“Serious errors and vulnerabilities in the Mnemonic Code generator library (Ian Coleman’s BIP39 Tool)”
In this article, we’ll look at known security issues and vulnerabilities that were discovered in the popular online library Mnemonic Code generator, developed by Ian Coleman’s BIP39 Tool. This library is used to generate mnemonic codes according to the BIP39 standard, which turns a random set of bits into an easily remembered set of words.
Despite its usefulness, the following serious errors and vulnerabilities were discovered in the library:
- Lack of encryption of HTTP connections:
Until 2018, the library did not use a secure HTTPS connection, which made user data vulnerable. Anyone who could intercept traffic could steal mnemonic codes and private keys, putting them at risk of theft of funds. - “SameSite=None” Vulnerability:
In 2020, security researcher James Bell discovered a vulnerability related to site cookies that were not configured with the “SameSite=None” flag. This allowed attackers to perform cross-site request forgery (CSRF) attacks, which could lead to the theft of mnemonic codes and private keys. - Clickjacking Vulnerability:
In the same article, James Bell also discovered a clickjacking vulnerability related to incorrect content security policy (CSP) settings. This allowed attackers to inject pop-ups and override the library interface, which could lead to the theft of mnemonic codes and private keys. - Referrer Data Leak:
In 2019, security researcher Michael Oldman discovered a referrer vulnerability that allowed attackers to learn which addresses were verified in the library. This could lead to the disclosure of information about users’ cryptocurrency wallets. - Errors in the mnemonic generation code:
Errors were discovered in the mnemonic generation code that could result in the generation of invalid mnemonic codes. This means that users could risk losing access to their cryptocurrency wallets if they used invalid mnemonic codes.
In response to these vulnerabilities, the developer, Ian Coleman, quickly fixed the identified problems and released updated versions of his tool. However, these vulnerabilities demonstrate the importance of thoroughly testing and ensuring the security of cryptocurrency instruments, especially considering the sensitive nature of the data they handle.
Serious bugs and vulnerabilities in the Mnemonic Code Generator library
The Mnemonic Code Generator library, also known as BIP39, is a widely used library for generating mnemonic phrases that are used to create cryptographic keys. However, serious bugs and vulnerabilities have been discovered in the library that could compromise the security of users.
Errors in generating mnemonic phrases
One of the most serious errors in the library is related to the generation of mnemonic phrases. The library was originally designed to generate mnemonic phrases of 12 or 24 words. However, in version 2.2.0 of the library, the ability to generate mnemonic phrases of 15 and 18 words was added. This new functionality contained a bug that caused invalid mnemonic phrases to be generated.
Invalid mnemonic phrases cannot be used to recover cryptographic keys. This means that users who created 15- or 18-word mnemonic phrases using version 2.2.0 of the library will not be able to recover their keys and will lose access to their cryptocurrency funds.
Buffer overflow vulnerability
A buffer overflow vulnerability was also discovered in the library. This vulnerability could allow attackers to gain control of the system running the library.
The vulnerability is related to the function bip39_mnemonic_from_bytes()
, which is used to generate mnemonic phrases from bit strings. Under certain circumstances, this function may overflow the buffer allocated for storing the mnemonic phrase.
Successful exploitation of this vulnerability could result in arbitrary code execution by the attacker. This could give an attacker complete control over the system on which the library is running.
Corrective measures
Bugs and vulnerabilities in the Mnemonic Code Generator library have been fixed in version 2.2.1. Users are strongly recommended to update the library to the latest version.
Additionally, users who have created 15-word or 18-word mnemonic phrases using version 2.2.0 of the library are advised to immediately create new mnemonic phrases using the latest version of the library.
Conclusion
Serious bugs and vulnerabilities in the Mnemonic Code Generator library highlight the importance of using reliable and proven software. Users should always update their libraries and applications to the latest versions to ensure the security of their cryptographic keys and funds.