You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Changing one of the last 4 characters in a private key may result in a validation by the wifIsValid() function. This happens in steem-js but not in steem-python (can't import an invalid key with steempy addkey).
Tested with different accounts. Some keys are showing this behavior, while others aren't.
The modified keys are also able to broadcast transactions.
Using the latest steem-js v0.7.1
Here's a snippet to verify the combinations for a given key pair.
String.prototype.replaceAt = function (index, replacement) {
return this.substr(0, index) + replacement + this.substr(index + replacement.length);
};
// account and password example that illustrate the problem
var account = "testuser123"; // edit this
var password = "P5JvGvqo8NWhnaEhqHNsd69g7TbiFy1WcZQ5HNq8qxvaVU1bXzmX"; // edit this
var steem = require('steem');
var base58chars = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
var keys = steem.auth.getPrivateKeys(account, password, ['owner', 'active', 'posting', 'memo']);
//console.log(keys);
testKeys(keys.owner, keys.ownerPubkey, "owner");
testKeys(keys.active, keys.activePubkey, "active");
testKeys(keys.posting, keys.postingPubkey, "posting");
testKeys(keys.memo, keys.memoPubkey, "memo");
function testKeys(privatekey, publickey, keytype) {
var validcount = 0;
for (var testpos = 0; testpos <= privatekey.length; testpos++) {
for (var i = 0; i < base58chars.length; i++) {
var newchar = base58chars.slice(i, i + 1);
var modifiedprivatekey = privatekey.replaceAt(testpos - 1, newchar);
try {
if (steem.auth.wifIsValid(modifiedprivatekey, publickey)) {
if (privatekey !== modifiedprivatekey) {
var slice1 = privatekey.slice(0, testpos - 1);
var slice2 = privatekey.slice(testpos - 1, privatekey.length - 1);
console.log(slice1 + "\x1b[36m" + newchar + "\x1b[0m" + slice2, "VALID");
validcount++;
}
}
} catch (e) {
//console.log(e);
//console.log(modifiedwif, newchar, "INVALID");
}
}
}
console.log("\x1b[32m" + privatekey, "ORIGINAL", keytype, "\x1b[0m");
console.log("Found", validcount, "valid variations on the original", keytype, "key", "\r\n");
validcount = 0;
}
The text was updated successfully, but these errors were encountered:
Jolly-Pirate
changed the title
wifIsValid() is validating variations on the same private key
Variations on the same private key are valid
May 20, 2018
Jolly-Pirate
changed the title
Variations on the same private key are valid
Modifying private keys results in many other valid keys
May 21, 2018
Changing one of the last 4 characters in a private key may result in a validation by the wifIsValid() function. This happens in steem-js but not in steem-python (can't import an invalid key with
steempy addkey
).Tested with different accounts. Some keys are showing this behavior, while others aren't.
The modified keys are also able to broadcast transactions.
Using the latest steem-js v0.7.1
Here's a snippet to verify the combinations for a given key pair.
The text was updated successfully, but these errors were encountered: