The presentation will cover details of a bug (CVE-2015-2141) I found in the Rabin-Williams (RW) digital signature system implementation in the well-known Crypto++ (http://cryptopp.com) framework. The bug is misuse of "blinding" technique that should prevent timing attacks but results in an ability to recover a private key having only two signatures of one message.