October 25th 2016
We are pleased to announce MultiBit beta release (0.5.0) is available for download. We are releasing this as beta due to the nature of the changes we made. There is a slight chance this upgrade might break prior versions of wallet data. If you install this beta, make sure you have access to your wallet words just in case.
This release modifies the format of all of the encrypted files created by Multibit. A security researcher pointed out that the Multibit wallet files may be vulnerable to a rainbow table attack. In a rainbow attack, the attacker generates a large table of passwords and corresponding ciphertext. This allows them to look at the ciphertext and quickly know the password that was used to encrypt it.
Multibit is vulnerable to this attack because the first few bytes of the wallet file tend to be the same across wallets and a fix initialization value is used in the file encryption process. Fortunately, there is a simple solution: A random initialization value. Every time a file is encrypted, a random initialization value is generated and these random bytes are prepended to the encrypted bytes.
Multibit users don’t have to do anything to take advantage of this security improvement. The system will detect when a file is encrypted with a fixed initialization value and automatically re-encypt the file with a random initialization value.
Thanks to Fenio Hoffman for pointing out this vulnerability while doing research for his thesis at his university.