A team of researchers led by the Distrust security research firm have disclosed a vulnerability they've called "Milksad". The popular Libbitcoin project was used by multiple cryptocurrency wallets to generate private keys, but it turns out it was irresponsibly implemented, producing flawed output. The team used a pseudo-random number generator seeded with only 32 bits of system time to produce private keys, meaning that private keys could be brute-forced in "a few days of computation on the average gaming PC, at most".Nevertheless, when Distrust disclosed this to Libbitcoin, the team replied first that they were too busy, then twice that "they do not feel this is a bug".
The research team has not yet disclosed which wallets were affected by the vulnerability, but they have estimated that around $900,000 were stolen as a result.
