Bitcoin.org released a security advisory over the weekend warning the Bitcoin community that any Bitcoin wallet generated on any Android device is insecure and open to theft. The insecurity appears to stem from a flaw in the Android Java SecureRandom class, which under certain circumstances can produce numbers that aren’t truly nondeterministic. This can allow an attacker to work out a victim’s cryptographic private key. Private keys are used to sign Bitcoin transactions; if an attacker has a victim’s private key, the attacker can execute Bitcoin transactions as if he were that person. So far, it appears that the vulnerability has been used to steal at least 55 BTC (approximately $5,720 as of this morning). To conduct a Bitcoin transaction, a user transfers BTC from his address to the intended recipient’s address; when this happens, the sender attaches the recipient’s cryptographic public key to the end of that bitcoin’s record (its “blockchain”) and signs that addition with his own cryptographic private key.