2024-12-15 14:28:25 +00:00
|
|
|
# Notes
|
|
|
|
|
|
|
|
We publish most of our content on https://milksad.info or in one of the other repositories.
|
|
|
|
|
|
|
|
This is a small collection of notes which didn't fit anywhere else.
|
|
|
|
|
|
|
|
|
|
|
|
## Ressources
|
|
|
|
|
|
|
|
This is not exhaustive, see our blog posts for more context.
|
|
|
|
|
|
|
|
### Similar Research
|
|
|
|
|
|
|
|
* https://blog.ledger.com/Funds-of-every-wallet-created-with-the-Trust-Wallet-browser-extension-could-have-been-stolen/, CVE-2023-31290
|
|
|
|
|
|
|
|
### Victims & Analysis Social Media Posts
|
|
|
|
|
|
|
|
* https://www.reddit.com/r/Bitcoin/comments/157ze5i/my_bitcoin_was_taken_how/, now partially deleted
|
|
|
|
* https://www.reddit.com/r/Bitcoin/comments/158nyuo/mass_hacking_of_over_1000_bitcoin_accounts/
|
|
|
|
|
2024-12-16 10:52:54 +00:00
|
|
|
### Potentially Related Press
|
|
|
|
|
|
|
|
* https://cointelegraph.com/news/redditor-gets-lesson-after-bitcoin-paper-wallet-hacked
|
2024-12-15 14:28:25 +00:00
|
|
|
|
|
|
|
### Interesting Tools
|
|
|
|
Software we found during our research. We don't endorse these tools and can't vouch for them in any way.
|
|
|
|
|
|
|
|
* https://github.com/altf4/untwister
|
|
|
|
* https://github.com/Houzich/CUDA-GPU-Brute-Force-Mnemonic-Ethereum
|
|
|
|
|
2024-12-16 10:52:54 +00:00
|
|
|
## Public Reaction to Milk Sad Disclosure
|
|
|
|
|
|
|
|
### News
|
|
|
|
* https://bitcoinmagazine.com/technical/the-milk-sad-vulnerability-and-what-it-means-for-bitcoin
|
|
|
|
* https://newsletter.mollywhite.net/p/issue-36
|
|
|
|
* https://euro.dayfr.com/business/amp/666814
|
|
|
|
* https://bitcoinworld.co.in/disappearance-of-900k-puts-focus-on-vintage-bitcoin-project-libbitcoin/
|
|
|
|
* https://www.binance.com/en-IN/feed/post/2023-08-14-major-vulnerability-in-bitcoin-libbitcoin-explorer-tool-fixed-961627
|
|
|
|
* https://www.coindesk.com/tech/2023/08/14/disappearance-of-900k-puts-focus-on-vintage-bitcoin-project-libbitcoin/
|
|
|
|
* https://www.cryptopolitan.com/libbitcoin-explorers-version-3-x-faces-severe-security-breach-users-funds-endangered/
|
|
|
|
* https://coinnounce.com/vintage-bitcoin-project-libbitcoin-loses-900k/
|
|
|
|
* https://unchainedcrypto.com/milk-sad-issue-results-in-900000-stolen-from-crypto-wallets/
|
|
|
|
* https://finance.yahoo.com/news/disappearance-900k-puts-focus-vintage-020100877.html
|
|
|
|
* https://www.msn.com/en-us/news/technology/libbitcoin-explorer-s-version-3-x-faces-severe-security-breach-users-funds-endangered/ar-AA1f8wL1
|
|
|
|
* https://www.bitcoininsider.org/article/222643/crypto-security-breach-hackers-exploit-bitcoin-wallet-vulnerability-make-900k
|
|
|
|
* https://www.investing.com/news/cryptocurrency-news/newly-discovered-bitcoin-wallet-loophole-let-hackers-steal-900k--slowmist-3151825
|
|
|
|
* https://headtopics.com/us/newly-discovered-bitcoin-wallet-loophole-let-hackers-steal-900k-slowmist-42034707
|
|
|
|
* https://cointelegraph.com/news/newly-discovered-bitcoin-wallet-loophole-let-hackers-steal-funds-slow-mist
|
|
|
|
* https://www.schneier.com/blog/archives/2023/08/cryptographic-flaw-in-libbitcoin-explorer-cryptocurrency-wallet.html (no biggie)
|
|
|
|
* https://bitcoinops.org/en/newsletters/2023/08/09/
|
|
|
|
* https://www.web3isgoinggreat.com/?id=libbitcoin-vulnerability
|
|
|
|
* https://medium.com/asecuritysite-when-bob-met-alice/a-novice-mistake-meet-milk-sad-and-the-32-bit-key-ba308fb2b633
|
|
|
|
* https://thenationview.com/cryptocurrency/203129.html
|
|
|
|
* https://www.nobsbitcoin.com/milk-sad-vulnerability-disclosure/
|
|
|
|
* https://cointimes.com.br/milk-sad-1000-carteiras-de-bitcoin-roubadas-em-vulnerabilidade-que-afetou-milhoes-de-dolares-veja-se-voce-foi-comprometido/
|
|
|
|
* https://russia.postsen.com/business/amp/392963
|
|
|
|
* https://bitcoinist.com/crypto-breach-hackers-make-off-with-900k/
|
|
|
|
* https://decrypt.co/news-explorer?pinned=266091&title=libbitcoins-vulnerability-allowed-hackers-to-make-off-with-at-least-900000-in-user-funds
|
|
|
|
* https://protos.com/crypto-wallet-seeds-crackable-with-gaming-pc-via-this-security-flaw/
|
|
|
|
* https://www.securitylab.ru/news/540834.php
|
|
|
|
* https://unchainedcrypto.substack.com/p/should-sbf-have-stayed-silent
|
|
|
|
* https://www.cryptotimes.io/bug-in-libbitcoin-explorer-3-x-allows-hacker-to-steal-900k/
|
|
|
|
|
|
|
|
### Videos
|
|
|
|
* https://www.youtube.com/watch?v=PHdsyG7ZoM4 (Crypto World Daily)
|
|
|
|
* https://www.youtube.com/watch?v=XKGMYii0wdA (BlockChain Caffe)
|
|
|
|
* https://www.youtube.com/watch?v=GXwpTlSBtrk (Bitcoin Review)
|
|
|
|
* https://www.youtube.com/watch?v=R37Zmx7VopY (Olaf Ihle)
|
|
|
|
* https://www.youtube.com/watch?v=3uwl5xDdc7c (pubkey nyc)
|
|
|
|
* https://www.youtube.com/watch?v=GXwpTlSBtrk (bitcoin review)
|
|
|
|
* https://www.youtube.com/watch?v=aBhr4QnjggQ (explaining bitcoin)
|
|
|
|
|
|
|
|
### Podcasts
|
|
|
|
* https://poddtoppen.se/podcast/1617044319/asecuritysite-podcast/bill-buchanan-a-novice-mistake-meet-milk-sad-and-the-32-bit-key
|
|
|
|
* https://bitcoinops.org/en/podcast/2023/08/10/
|
|
|
|
|
|
|
|
### Forums
|
|
|
|
* https://lobste.rs/s/mhveku/milk_sad
|
|
|
|
* https://www.metafilter.com/200276/Milk-Sad
|
|
|
|
* https://news.ycombinator.com/item?id=37054862
|
|
|
|
* https://stacker.news/items/221860
|
|
|
|
* https://www.pipiscrew.com/threads/milk-sad-weak-entropy-in-libbitcoin-bc-seed-generation.85195/#post-84070
|
|
|
|
|
|
|
|
### Reddit
|
|
|
|
* https://www.reddit.com/r/Bitcoin/comments/15lu8ps/milk_sad_a_practical_explanation_of_how_weak/
|
|
|
|
* https://www.reddit.com/r/CryptoCurrencyClassic/comments/15mirw5/milk_sad_vulnerability_cve202339910_in_libbitcoin/
|
|
|
|
* https://www.reddit.com/r/programmingcirclejerk/comments/15lv4md/the_bx_seed_subcommand_for_generation_of_new/
|
|
|
|
* https://www.reddit.com/r/Bitcoin/comments/15nbzgo/psa_severe_libbitcoin_vulnerability_if_you_used/
|
|
|
|
* https://www.reddit.com/r/coldcard/comments/15n9gww/milk_sad_wallet_vulnerability/
|
|
|
|
* https://www.reddit.com/r/CryptoCurrencyClassic/comments/15ngyk2/major_rng_in_seed_generation_was_disclosed/
|
|
|
|
* https://www.reddit.com/r/btc/comments/15n383k/milk_sad_vulnerability_a_practical_explanation_of/
|
|
|
|
* https://www.reddit.com/r/Electrum/comments/15npvwy/has_electrum_ever_been_exposed_to_the_milk_sad/
|
|
|
|
|
|
|
|
### Git
|
|
|
|
* https://github.com/spesmilo/electrum/issues/8570
|
|
|
|
* https://github.com/bitcoinbook/bitcoinbook/issues/1082
|
|
|
|
* https://github.com/MelbourneBitDevs/MelbBitDevs/issues/9
|
|
|
|
* https://github.com/LedgerHQ/app-ethereum/issues/462
|
|
|
|
* https://github.com/LedgerHQ/app-bitcoin/issues/244
|
|
|
|
* https://github.com/libbitcoin/libbitcoin-explorer/issues/728
|
|
|
|
* https://github.com/libbitcoin/libbitcoin-explorer/issues/726
|
|
|
|
* https://github.com/libbitcoin/libbitcoin-explorer/pull/729
|
|
|
|
|
|
|
|
### Fediverse
|
|
|
|
* https://mastodon.social/@lrvick/110855860330518325
|
|
|
|
|
|
|
|
### LinkedIn
|
|
|
|
|
|
|
|
* https://www.linkedin.com/posts/alivaja_milk-sad-disclosure-activity-7094781878552973312-3sIr
|
|
|
|
* https://www.linkedin.com/posts/jnaulty_bitcoin-cryptocurrency-cryptography-activity-7094980987868106752-6DTv
|
|
|
|
* https://www.linkedin.com/posts/activity-7095248467765170177-9QEw
|
2024-12-15 14:28:25 +00:00
|
|
|
|
2024-12-16 10:52:54 +00:00
|
|
|
### The website formerly known as Twitter
|
|
|
|
* https://twitter.com/SlowMist_Team/status/1689593659606630400
|
|
|
|
* https://twitter.com/klever_io/status/1679267565434986501
|
|
|
|
* https://twitter.com/cmichelio/status/1689686030457217033
|
|
|
|
* https://twitter.com/tdryja/status/1689285003782340608
|
|
|
|
* https://twitter.com/gopal_bharvad/status/1689295644261785600
|
|
|
|
* https://twitter.com/utxoclub/status/1689323302408306688?s=20
|
|
|
|
* https://twitter.com/SCBuergel/status/1689428445686792192
|
|
|
|
* https://twitter.com/midmagic/status/1689398329875300356
|
|
|
|
* https://twitter.com/bitkarrot/status/1689392632701845507
|
|
|
|
* https://twitter.com/isislovecruft/status/1689331203684577280
|
|
|
|
* https://twitter.com/JuanSGalt/status/1689321099799011337
|
|
|
|
* https://twitter.com/molly0xFFF/status/1689369708762472449
|
|
|
|
* https://twitter.com/BawdyAnarchist_/status/1689322971117101066
|
|
|
|
* https://twitter.com/hrdng/status/1689022029142560771
|
|
|
|
* https://twitter.com/JohnNaulty/status/1689225812543766528
|
|
|
|
* https://twitter.com/h0wlu/status/1689211942236303360
|
|
|
|
* https://twitter.com/drgrove92/status/1689011743786475520
|
|
|
|
* https://twitter.com/NikolRo1/status/1689294137445498881
|
|
|
|
* https://twitter.com/n1ckler/status/1689026658408259585
|
|
|
|
* https://twitter.com/BlockchainDoug/status/1689039042078248960
|
|
|
|
* https://twitter.com/SeedSigner/status/1689076185714552833
|
|
|
|
* https://twitter.com/chromatic_x/status/1689012605162319873
|
|
|
|
* https://twitter.com/thepizzaknight_/status/1689080119678095360
|
|
|
|
* https://twitter.com/mrgretzky/status/1689180158937223168
|
|
|
|
* https://twitter.com/echa_io/status/1689098730673524736
|
|
|
|
* https://twitter.com/turnkeyhq/status/1689035139773267968
|
|
|
|
* https://twitter.com/techmedia_think/status/1689145493186908161
|
|
|
|
* https://twitter.com/Ghostie0815/status/1689083719070392320
|
|
|
|
* https://twitter.com/adam3us/status/1689051705504153600
|
|
|
|
* https://twitter.com/secresDoge/status/1689209933898883072
|
|
|
|
* https://twitter.com/leashless/status/1689010029910020096
|
|
|
|
* https://twitter.com/slashbin_FR/status/1689212181059883009
|
|
|
|
* https://twitter.com/matthew_d_green/status/1689047993100410880
|
|
|
|
* https://twitter.com/jspaleta/status/1689376047127789570
|
|
|
|
* https://twitter.com/UID_/status/1689050776520273922
|
|
|
|
* https://twitter.com/katakoto/status/1689384902339526656
|
|
|
|
* https://twitter.com/brikk_/status/1689169765883940864
|
|
|
|
* https://twitter.com/jtgrassie/status/1689063057534689280
|
|
|
|
* https://twitter.com/StronkDev/status/1689046769001537537
|
|
|
|
* https://twitter.com/RSync25/status/1689213744734220288
|
|
|
|
* https://twitter.com/joemphilips/status/1689143686096146433
|
|
|
|
* https://twitter.com/isislovecruft/status/1689331203684577280?s=51
|