Bitcoin Forum

Economy => Service Discussion => Topic started by: ArpFlush on November 25, 2014, 03:41:04 PM



Title: Bitaddress.org bug?? private key mismatch
Post by: ArpFlush on November 25, 2014, 03:41:04 PM
Hi all,

When using the paper wallet via bitaddress.org, I advice you to check the public address first in blockchain.info.

Reason: I created a new paper wallet, then checked the pub address and there is 1 BTC on it! Strangely enough, the corresponding private key didn't match!! This means that you better always  double check the private key before sending funds to your paper wallet.


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: DannyHamilton on November 25, 2014, 04:18:08 PM
Although it might be possible that there is a bug in bitaddress.org, it is far more likely that you have malware on your computer that changed the bitcoin address. Or that you simply made a mistake and that the address that bitaddress.org generated is not the address that you looked up.


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: ArpFlush on November 25, 2014, 05:41:54 PM
Although it might be possible that there is a bug in bitaddress.org, it is far more likely that you have malware on your computer that changed the bitcoin address. Or that you simply made a mistake and that the address that bitaddress.org generated is not the address that you looked up.
No, I checked it multiple times. I also extracted the public key from the private key (via Armory) and it results in a different public address. Malware, well, in these days of APT's you never know but normally my machine should be clean.


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: KIRAZ on November 25, 2014, 05:53:37 PM
Wow, that's really strange i made one last month from their. Why don't you report this bug/issue to them - maybe they dig deep in it
and tell ya what's the mess up is about.


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: ArpFlush on November 25, 2014, 06:00:09 PM
Wow, that's really strange i made one last month from their. Why don't you report this bug/issue to them - maybe they dig deep in it
and tell ya what's the mess up is about.
I'm on it  ;)


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: yayayo on November 25, 2014, 06:42:08 PM
If true this could be devastating, because Bitaddress is used to such a great extent. It also may have gone unnoticed for a long time, because the main use of this service is cold storage.

I'm no JavaScript expert. But could it be caused by a malicious script injection?

(Posting here to remind me.)

ya.ya.yo!



Title: Re: Bitaddress.org bug?? private key mismatch
Post by: cr1776 on November 25, 2014, 07:41:19 PM
If you want more insight, it would be useful to post both the keys you are discussing AFTER, and only AFTER, you have moved any coins, had a good number of confirmations and made sure you aren't sending any coins there.



Title: Re: Bitaddress.org bug?? private key mismatch
Post by: tzortz on November 25, 2014, 11:10:27 PM
Nice thread.

Thanks to know all these.


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: Cryptopher on November 25, 2014, 11:28:19 PM
Further to DannyHamilton's response, I too wonder if it is a case of an isolated incident.

Have you tried to create more paper wallets since? Did you observe the same problem?

Could you not share any details on the keys seeing as you will presumably not be using it?

The change log doesn't show any updates since April, so if there is a bug then it will have been around for a while. I would have expected to hear more reports into this.

Good job that you checked though - think that it is good practice to check things and then check again before going ahead with it when it comes to crypto.


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: ArpFlush on November 26, 2014, 07:28:52 PM
Well, here's an update.

I scanned both QR's with my phone. The left one (public key) doesn't match the written BTC address below the QR. The private key QR was correct.

In other words: the left part of the page (Bitcoin address) > QR code doesn't match BTC address below the QR. As I used my desktop machine I copy/pasted the btc address in blockchain.info > result: 1BTC on this address (felt like I won the lottery)

Conclusion: Both QR codes match each other, both keys printed in clear text don't match. Check before using you must  8)
Luckily I didn't send BTC to this address!


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: twister on November 26, 2014, 07:58:29 PM
If this bug is real it can make people lose a lot of bitcoin. People make paper wallets and send moeny to them and never check if the key matches the address or not. How do one check the key offline?


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: DaveF on November 26, 2014, 11:01:24 PM
If this bug is real it can make people lose a lot of bitcoin. People make paper wallets and send moeny to them and never check if the key matches the address or not. How do one check the key offline?

Download Electrum on a machine that has never had it installed before & unplug machine from internet.
Run Electrum and then Wallet --> Private keys --> Import [type in the private key and make sure it brings up the correct address.]
Then delete all the info from the proper locations on your PC to be sure that there is no record of the private key.

-Dave


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: yayayo on November 27, 2014, 12:47:52 AM
Well, here's an update.

I scanned both QR's with my phone. The left one (public key) doesn't match the written BTC address below the QR. The private key QR was correct.

In other words: the left part of the page (Bitcoin address) > QR code doesn't match BTC address below the QR. As I used my desktop machine I copy/pasted the btc address in blockchain.info > result: 1BTC on this address (felt like I won the lottery)

Conclusion: Both QR codes match each other, both keys printed in clear text don't match. Check before using you must  8)
Luckily I didn't send BTC to this address!

Well then it's serious. What browser do you use?

Any response from the bitaddress team?

They should take down the site until they have identified and solved the error.

ya.ya.yo!


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: twister on November 27, 2014, 04:17:11 AM
If this bug is real it can make people lose a lot of bitcoin. People make paper wallets and send moeny to them and never check if the key matches the address or not. How do one check the key offline?

Download Electrum on a machine that has never had it installed before & unplug machine from internet.
Run Electrum and then Wallet --> Private keys --> Import [type in the private key and make sure it brings up the correct address.]
Then delete all the info from the proper locations on your PC to be sure that there is no record of the private key.

-Dave


Gr8 idea! I will do this prior to sending any amount to any paper wallet. Thx for this. +1


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: lontivero on November 27, 2014, 04:39:33 AM
Folks, I tested it by myself and keys are okay.


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: TheButterZone on November 27, 2014, 04:41:43 AM
Open issue: https://github.com/pointbiz/bitaddress.org/issues/90


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: lontivero on November 27, 2014, 04:50:50 AM
@ArpFlush could you post an image with the key pair? It is not useful for you, isn't it? I would like to see it by myself.


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: TheButterZone on November 27, 2014, 04:57:27 AM
I wouldn't reveal anything publicly yet. First, import both the uncompressed and compressed private keys that Bitaddress generated. Each type of private key corresponds to a different address.


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: lontivero on November 27, 2014, 04:59:02 AM
Please take a look at the Bitaddress' IP address that you get because someone could modify your local DNS, proxy or any other record in the LAN. If that is posible then you could be accessing to a fake Bitaddress.org site.  


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: ArpFlush on November 27, 2014, 08:14:59 AM
@ArpFlush could you post an image with the key pair? It is not useful for you, isn't it? I would like to see it by myself.
Sure: (sorry for the upside/down)

https://i.imgur.com/UPrzkUR.jpg


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: shorena on November 27, 2014, 08:59:30 AM
@ArpFlush could you post an image with the key pair? It is not useful for you, isn't it? I would like to see it by myself.
Sure: (sorry for the upside/down)

fixed that for you:

https://i.imgur.com/ALgnDQe.jpg

Edit:

private key: 5KaDTTWPxdwxrFYboxQPJiXgqwua9SULLCvLFEBuGkbeQnSLAoG
results in address: 16obDHVzXx1YevqkAkDyN5Vbqw4V8iauGf
according to brainwallet homepage [1].


[1] https://brainwallet.github.io/


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: ArpFlush on November 27, 2014, 09:05:15 AM
Well then it's serious. What browser do you use?

Any response from the bitaddress team?

They should take down the site until they have identified and solved the error.

ya.ya.yo!

No response yet. I used Chrome on a Win7.


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: ArpFlush on November 27, 2014, 09:06:49 AM
fixed that for you:
Edit:

private key: 5KaDTTWPxdwxrFYboxQPJiXgqwua9SULLCvLFEBuGkbeQnSLAoG
results in address: 16obDHVzXx1YevqkAkDyN5Vbqw4V8iauGf
according to brainwallet homepage [1].

[1] https://brainwallet.github.io/
thanks, and your result isthe same as mine  ;)


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: pointbiz on November 27, 2014, 01:09:51 PM
I just dropped by to say I've read this thread.

The code has been around a long time and no one has made this type of claim. The code has unit tests to ensure accuracy. Also, in testing we have used the bulk wallet in the past to generate 10,000+ addresses and tested them against other bitcoin software to ensure only good matching pairs are being generated.

Even in this claim the generated address and private key match because the address is passed into the function that creates the QR code for the bitcoin address. Meaning the complex bitcoin part of the code worked fine. So, the behavior that is claimed to be affected would be the simple code that is updating the HTML.

As a sanity check I would ask the OP to run the unit tests by placing a query string at the end of the page, please do this with the offline version you presumably downloaded.
https://www.bitaddress.org/bitaddress.org-v2.9.3-SHA1-7d47ab312789b7b3c1792e4abdb8f2d95b726d64.html?unittests=true

OP was your browser or system misbehaving in any way you could detect? Was your system low on memory or anything that might shed light on this? My questions are just speculatings.

At this moment it seems more plausible you have encountered some new malware. Easier for malware to change the text in the HTML then to swap out the QR code. PLUS the wrong bitcoin address shown in your screenshot has money on it meaning that someone else controls that key. If this were a legitimate code failure it would not produce an existing bitcoin address because a collision like that is theoretically impossible.


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: pointbiz on November 27, 2014, 01:10:34 PM
Another question to OP. Did you check the SHA1?


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: DannyHamilton on November 27, 2014, 01:52:08 PM
Remember way back in the beginning of this thread when I said that it was far more likely that you have malware on your computer that changed the bitcoin address?

Guess what.

I did about 3 seconds of research with a Google search now that you finally posted the address, and it seems pretty clear that you have malware on your computer that changed the bitcoin address:

*** MALWARE WARNING ***

We want to inform you a MALWARE about dangerous TheTrollBox Chrome Extensions at https://bitcointalk.org/index.php?topic=424686.0
http://pastie.org/pastes/9096889
http://www.reddit.com/r/dogecoin/comments/23jr02/google_chrome_extension_live_ticker_steals_your/

Please be careful and do not use this chrome extension.
It replaces addresses with his own addresses to steal your money.
One of our members lost 1 BTC.

Please retweet to help inform more people about TheTrollBox Chrome Extensions.
https://twitter.com/Coinano/status/458184780069494784

Kind Regards.

If anyone is interested, here are the BTC addresses and various other altcoin addresses in this browser extension that they are stealing BTC to:
- snip -
"1CoEtBCwmy6BBCka1mxYieX7dtkwLSy88F",
- snip -

Security Inform (http://www.securityinform.com/2014/04/24/google-chrome-extension-reportedly-stealing-bitcoin-or-other-cryptocurrency-data/)
Quote
- snip -
1CoEtBCwmy6BBCka1mxYieX7dtkwLSy88F is one of the receiving addresses replaced by this malicious extension
- snip -


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: lontivero on November 27, 2014, 01:59:08 PM
Remember way back in the beginning of this thread when I said that it was far more likely that you have malware on your computer that changed the bitcoin address?

Guess what.

I did about 3 seconds of research with a Google search now that you finally posted the address, and it seems pretty clear that you have malware on your computer that changed the bitcoin address:

*** MALWARE WARNING ***

We want to inform you a MALWARE about dangerous TheTrollBox Chrome Extensions at https://bitcointalk.org/index.php?topic=424686.0
http://pastie.org/pastes/9096889
http://www.reddit.com/r/dogecoin/comments/23jr02/google_chrome_extension_live_ticker_steals_your/

Please be careful and do not use this chrome extension.
It replaces addresses with his own addresses to steal your money.
One of our members lost 1 BTC.

Please retweet to help inform more people about TheTrollBox Chrome Extensions.
https://twitter.com/Coinano/status/458184780069494784

Kind Regards.

If anyone is interested, here are the BTC addresses and various other altcoin addresses in this browser extension that they are stealing BTC to:
- snip -
"1CoEtBCwmy6BBCka1mxYieX7dtkwLSy88F",
- snip -

Security Inform (http://www.securityinform.com/2014/04/24/google-chrome-extension-reportedly-stealing-bitcoin-or-other-cryptocurrency-data/)
Quote
- snip -
1CoEtBCwmy6BBCka1mxYieX7dtkwLSy88F is one of the receiving addresses replaced by this malicious extension
- snip -

Yes, thats the address! Good catch.
Chrome extensions are a big security problem, no just for bitcoins. 


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: ArpFlush on November 28, 2014, 10:28:20 AM
Wow, I didn't know this existed. It's not on my Chrome now (unless I installed & unstalled it months ago).
Antivirus check = negative, but as usual there were some trackers and stuff (that I deleted too)

Thanks for the update!

Edit: So I think this problem is solved. Bitaddress.org is safe to use  ;)


Title: Re: Bitaddress.org bug?? private key mismatch
Post by: yayayo on November 29, 2014, 06:22:27 PM
Remember way back in the beginning of this thread when I said that it was far more likely that you have malware on your computer that changed the bitcoin address?

Guess what.

I did about 3 seconds of research with a Google search now that you finally posted the address, and it seems pretty clear that you have malware on your computer that changed the bitcoin address:

Thank you for resolving this!

Good to know that bitaddress.org is free of errors.

However it is disturbing to see all these kinds of malware targeting Bitcoin-related services... it makes you feel unsafe executing any script... Well at least the criminals agree, that Bitcoin has value... ;)

ya.ya.yo!