milksad
/
data
14
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add already-public Cake Wallet data

This commit is contained in:
Christian Reitter 2024-12-09 15:16:13 +01:00
parent 46b4db82f8
commit bbd8117c4e
2 changed files with 8757 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
dart_random_electrum_cake_wallet/README.md Normal file
View File

@ -0,0 +1,41 @@
# Cake Wallet - Weak Bitcoin Wallets
This folder is about vulnerable versions of `Cake Wallet` which used the insecure `Random::Random()` PRNG of the `Dart` programming language to generate Bitcoin cryptocurrency wallets, resulting in extremely weak wallets.
Unlike other wallet software, the used mnemonic standard is `Electrum`, not `BIP39`, and the public usage is (to our knowledge) Bitcoin-specific.
See also:
* https://milksad.info/posts/research-update-6/
* https://milksad.info/posts/research-update-9/
* https://milksad.info/posts/research-update-10/
(incomplete article list)
## Data
### Hashed Mnemonic Seed of Discovered Wallets
File: `cakewallet_weak_bitcoin_seeds_hashed_sorted_version1_2023_11.txt`
A collection of hashes over the mnemonic secrets for all vulnerable wallets we discovered at the time of data set creation.
* Creation date: around 2023-11-24
* Detection: confirmed Bitcoin Mainnet usage of a `bc1` address on at least one of the sub-accounts, checked until #79
* Bitcoin Mainnnet address database from ca. early 2023-11
* Entry format: SHA-256 hash computed over the lowercase space-separated seed string without leading spaces, trailing spaces or newlines
* File format: newline-separated ASCII entries, sorted
* Additional comments: 12 word Electrum seed, "100" segwit prefix
#### Data example
Mnemonic: `ensure finish energy title soccer frame audit ahead swim fee course shoe`
Hash result: `f56599f4353c6f5d4d01cf9a9c2548cc2a70d3684c127962515b681692ab2b3e`
The example is a valid mnemonic but was unused at the time, and is therefore not included in the data set itself.
#### Publication Details
We provided this data set to the `Cake Wallet` vendor on 2023-11-24 for public adoption into patched new app versions. The data allows for client-side checks in the application to spot and warn of a continued use of known-vulnerable wallets.
They merged it via https://github.com/cake-tech/cake_wallet/pull/1238/files on 2023-12-18.

8716
dart_random_electrum_cake_wallet/cakewallet_weak_bitcoin_seeds_hashed_sorted_version1_2023_11.txt Normal file
View File

File diff suppressed because it is too large Load Diff