Bitcoin Forum

I used Blockchain.info online wallet for small transactions on my Windows 7 64-bit PC with strong password kept in KeePass.
Today I noticed that about 1.8 BTC was stolen from one of the addresses (which used for Anonymous Ads earnings), but funds from other addresses in this wallet were not affected.
This leads me on thoughts that Blockchain.info or Firefox may have some weakness in random number generator like the vulnerability was recently found in the Android.

TXID with my funds gone: https://blockchain.info/tx/975412ecc21a0ad949deba3f47c6ac41e42fb7bd3f7eeb36cc071f151003d8c9

https://bitcointalk.org/index.php?topic=271486.msg2907468#msg2907468

Same address, are you sure that you never used wallet on android cell?
I mean same identifier etc.

Newer used on Android. Only on Windows 7 and few times on Linux Mint.

P.S. Does it mean that all Blockchain.info addresses are vulnerable and funds from them could be stolen at any time? ???

Were any of the keys imported / brainwallets / or vanity?

We need the tool that scans for re-used R values.

No one address was ever imported. All generated into the browser (mostly Chrome, few times Firefox).

Your transaction with the repeated signature R values is this one:

https://blockchain.info/tx/e05d98ee17d4610eb4e63cf27dd4e63f7128dc28187ae73588ca5562d9391bb8

Inputs 0 and 2 specifically.  If you can 100% confirm the exact client software / platform / browser that generated this transaction, that would be helpful.

The 'k' value was 0x7f561ff2d0a848480f575773dd8b72f17cabc9f202951d9c7392b331b0565f28

I have a tool that can find these things and solve for the private keys but it's a total kludge and I don't use it to snatch funds nor run it on a rolling basis.   However, at this point I'm thinking of augmenting it so that it snatches weak funds immediately so I can return funds to peeps who are able to prove ownership of the victim address by signing a message with a bunch of keys with a 1-degree relationship to that address.

... since the guy currently exploiting this at the moment https://blockchain.info/address/1HKywxiL4JziqXrzLKhmB6a74ma6kxbSDj is just cleaning em up and I'm not holding out hope he has plans to return anything.

I'd suggest just requiring the signature of the key itself, plus verifying a name/address.
Then share the name/address with others signing for it and let the legit party sue the fraudulent claimee(s) in court. :)

The legal risk is too high.
On the other hand, I thought about writing and releasing such scanner without touching funds myself and letting people to catch and sue each other. I see every bitcoin-related court case as a good thing that make adoption of Bitcoin by business easier.

FWIW, My logs show someone was complaining at one point a while back their new wallet under chrome had someone elses coin in it. They dropped out before I could extract useful information from them. May be related.

One thing that has long really frightened me about all these webwallets is that if they fail to read from the secure rng they just use some snake oil "randomness" (the mouse position) that has practically no entropy.

There's only one address implicated in all the recent thefts so I'm not sure how useful releasing a scanner would be ... other than increasing competition for snatching funds from weak addresses.

Although your first point brings up a larger legal question ... if someone makes their private key public (intentionally or non-intentionally) ... under what conditions (if any) and under what legal theory could a 3rd party be liable for signing with it?  Any lawyers out there?

Another blockchain.info wallet here loss https://bitcointalk.org/index.php?topic=277601.0

I'm eager to refresh my math skills and play with modern cryptography a bit. Looks like RNGs are good target to try bit diffusion methods. But if such attempt will succeed, touching any weak address by myself would be both unethical and legally risky. And by publishing research results I'll shift all such problems to someone else :)
The only way I can see under Russian Federation laws to get to such third party is deriving private key from something protected by copyright. OK, IANAL and that's offtopic here.

I created this address in April 2013 with Google Chrome on Windows 7 64-bit.

P.S. This hacker stole 0.02 BTC again from the same address right after I received earnings from Anonymous Ads!
https://blockchain.info/tx/edf891400feba38339738910aeb40545a77e7c69ad9ff58ab208999df3d6db4f

According to Russian criminal code it seems to be fraud (article 159 applies to any property, not only fiat money).

We need to know what system created the transactions that were linked above as reusing R values.

Though the sudden reports suggests to me that this was a product of recent bc.i code changes, not the browsers.

Do you mean that need to know what was hacker's system?

It would be rather article 158 or freshly minted 159.6. But the Bitcoin should pass tests defined in article 128 of Civil Code first. When (and if) it will be deemed as some kind of property, the advances in tax planning art would be astounding!

In Russia class-action lawsuits are impossible, but individual litigation is too time-consuming and just not worth.

Holy shit ... I just re-examined my research on all repeated R-values in signatures made in July/Aug.  

I now suspect blockchain.info was responsible for all of these R repeats except the last .... (note this data is through today - block 253081).

• 2013-07-03 16:33:04 (https://blockchain.info/tx/5332b47e137a5819357c6c8787fa11a4a50a7f63751624bde662d8cf0e6158ec) - Relayed by Blockchain.info
• 2013-07-05 22:14:05 (https://blockchain.info/tx/54ac98e2301b9c7fdab5cfe93907032cc1248f9d5995cee70f38e98ba93d2d7f) - Relayed by Blockchain.info
• 2013-07-13 14:42:39 (https://blockchain.info/tx/69557597cc443920e9b9dae54283b77109d0087f2ad7b0ed1364afb0992bb191) - Relayed by Blockchain.info
• 2013-07-23 03:16:38 (https://blockchain.info/tx/569af9e1e4d1c6e02b7574ec551d74a2ccaee1f33b4f9b4191a3c5d81aeeb150) - Relayed by Blockchain.info
• 2013-08-04 07:33:50 (https://blockchain.info/tx/127da3144a02f16e1a5ccb67778a2f5f9924023ce9aa20c1c4d08be576cbb0b9) - Relayed by Blockchain.info
• 2013-08-06 05:43:31 (https://blockchain.info/tx/7eb9b7a277b0d52d49624b95c2c3df9c49280d33731462e0cf281e014fea8867) - Relayed by Blockchain.info
• 2013-08-16 15:39:48  (https://blockchain.info/tx/f92d4310ccc12bc41d2e51ab17b80c942a9343fce7a63a41e3d2db646fe05661) - Relayed by Blockchain.info
• 2013-08-18 16:58:44 (https://blockchain.info/tx/e05d98ee17d4610eb4e63cf27dd4e63f7128dc28187ae73588ca5562d9391bb8) - Relayed by Blockchain.info
• 2013-08-19 20:13:31 (https://blockchain.info/tx/156e5229f561d3a42e5e1f73141a688d178259f2c3842758c8f2d56d0fbb8d20) - Relayed by Blockchain.info

• 2013-07-31 13:27:03 (https://blockchain.info/tx/38fbb8a3ff718dd7c8006feb6aa9ed6add1772522781b0db95abb350a859220b) & 2013-08-04 15:41:30 (https://blockchain.info/tx/b6350f4339a59faf09bfc2a4086c2261598f46f257517ce53785145c964799bc) - Relayed from EU and US respectively

The more serious of the 2 android SecureRandom bugs as detailed by the commenter Nikolay Elenkov (https://plus.google.com/+AndroidDevelopers/posts/YxWzeNQMJS2), only could cause repeated R's across application invocations (and not in the same transaction), thus one would expect to see a R repeat from an android client spaced in time (across transactions) and not relayed directly through blockchain.info.  This fits the pattern of the last example.  

All the other R repeats happen within the same transaction and the transactions are relayed directly through blockchain.info.  Being relayed directly though blockchain.info means it was likely submitted by their wallet (or less likely but also possible ... another wallet that uses their API).  

Edit 1: Updated research to include repeats from recent blocks.

In the USA?
You have a civil claim of course.  And for criminal, Wire Fraud.  If interstate or international, Federal rules apply:
http://www.law.cornell.edu/uscode/text/18/1343

After reviewing the blockchain.info wallet source code, I can not recommend using it at the moment.  I had a full monty write-up on this earlier, but as I've dug deeper I've decided to take it down so I can communicate my findings to blockchain.info exclusively first.  Stay tuned.

My understanding is that b.i uses the "web crypto" APIs when available, and they should be more or less a direct path through to the platform crypto RNG.

However if the browser does not support those APIs then it basically just invents its own RNG. I recall bringing this issue up before, a long time ago, but I don't remember what became of it.

Do you advise to meanwhile sweep funds to a fresh new address with blockchain wallet?  Is the blockchain wallet safe to make transactions with manual key rotation?

If you are feeling careful, IMHO it would be wise to move to a non-javascript wallet for the time being ... and when you move, do it with a single transaction ... that way even if your signature(s) expose the private key you're moving from, they'll be nothing there left to spend.

Careful with that "move all at once". If your move transaction reveals your private key it may be the case that people are attacking in realtime now and might beat you w/ a double spend.

I would prefer to move the keys into something that doesn't have known DSA nonce concerns and send that movement transaction from there, if at all possible.

Jesse James has informed me of a problem with the rng used by blockchain.info javascript clients being poorly seeded when initialised in a background webworker task. In some browsers this could lead to duplicate R values being used when signing transactions (Firefox is likely to be particularly vulnerable). This issue effects the transaction signing code only, not the generation of private keys.

Patches have now been deployed, Please ensure you upgrade to the latest version of your Blockchain.info client.

Chrome extension - v2.85
Fixefox extension - v1.97
Mac client - v0.11

Users of the web interface should clear their browsers cache before next login.

Only a handful of addresses are known to be affected thus far. Likely if you have been affected by this problem your coins will have been taken already. All affected users will be refunded in full, please PM me or email help@blockchain.info.

Nice speedy fix :)

Could you push out the source code changes to https://github.com/blockchain/My-Wallet-Chrome-Extension ? It hasn't been updated for 3 months.

Is it possible for a bitcoin wallet to scan all previous transactions to check that the r value isn't being reused before broadcasting the new transaction? I appreiciate it might be expensive to calculate if you have a lot of transactions in your wallet O(n^2)? but for most wallets that's a small enough number I'd have thought?

I've been using blockchain.info wallet directly in my Firefox, without installing any browser extension. Am I vulnerable to this bug?

You are vulnerable, yes. But since no funds were stolen from you (I presume?), the bug luckily wasn't triggered (it didn't use the same R value twice) as it seems some people are actively scanning the blockchain and stealing whenever the bug happens. The bug is already fixed according to Piuk. Just clear your browser cache and you should be safe again.

Can someone please run the script on these two addresses and determine if this theft was caused by the bad signatures and comment in this thread:

https://bitcointalk.org/index.php?topic=277601.0

Here's how to manually force the update in Chrome.

1. Go to "chrome://extensions"
2. Select "developer mode"
3. Click "update extensions now"

I believe that if you can prove that change was sent to the address in a transaction from an address you can prove ownership to (by signing a message) then that should good enough.  However, this obviously does not work if no change was ever sent to the address in question.

I have a few questions:
1. I've only used Google Chrome with my blockchain wallet, and haven't installed the blockchain extensions, only used the website. I've also cleared my cache just a minute ago, am I vulnerable?
2. Were paper wallets at risk with this? Like, just an imported public address, with no private key.
3.) After clearing my cache, is there anything else I should do to make sure I'm secure?

afaik these addresses were not compromised by non-random numbers. But my script is not really sophisticated, so I might be wrong.

looks like the commit has been pushed now - https://github.com/blockchain/My-Wallet-Chrome-Extension/commit/a1fbd4a5ac14a188f1dc1144397446fb6ec6cdbf

Customer service win!

Was this an issue related to a problem with window.crypto.getRandomValues when webworkers are used? If so, please inform so that I can make Firefox aware of the problem.

I am working on Coinpunk, which is (like blockchain.info) using bitcoinjs-lib as a sort-of ancestor of the current code base. After the Android vulnerability was disclosed, I started looking at the existing RNG code and I was not impressed: https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/src/jsbn/rng.js

You can see where the RNG gets fed in here: https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/src/ecdsa.js#L237

I wanted to split the RNG code out into something that would use the best-available approach for its platform, so I put this together, which is the current development version, and has tests you can run in the browser: https://github.com/kyledrake/randjs.

I would really appreciate an audit and feedback on this code, as I intend to eventually use this in production. My e-mail is kyledrake@gmail.com if you want to IM/email me directly. Thanks!

window.crypto.getRandomValues is not available in webworkers because the window object doesn't exist in webworkers (by design).


IMHO, it's worth looking at puik's modifications to bitcoinjs-lib that he's maintaining in his branch (https://github.com/blockchain/My-Wallet/commits/master/bitcoinjs-lib) ... he's made fixes to the RNG in particular.

Honestly, if I were doing JS crypto my approach would be to just mainline randomness directly from window.crypto.getRandomValues and bail if it's not available.  If you need randomness from the context of a webworker, you have no choice but to message pass it into the worker from the foreground.

I don't have time at the moment to do a comprehensive audit, sorry :(   ... but javascript honestly isn't really my bag baby so I'm not sure I would be the best person to look at it.

This information was very helpful.. thank you! It looks like they did something similar to what I'm working on here. I'm warm to your idea of only supporting the window.crypto.getRandomValues browsers for the release version of Coinpunk, or at least warning users that they should upgrade their web browsers.

I wanted to ask you what your thoughts were on my skipping Arcfour (RC4) for window.crypto.getRandomValues. The blockchain.info implementation appears to still use the RC4 code (it uses window.crypto.getRandomValues for the seeding of RC4), but I didn't see why it was necessary here if I can just always get a nice random number from the newer browsers. Is this what you meant by mainlining?

Cheers! And thanks again. :)

Yep,  that's what I meant.

Your friend's private key was never exposed due to a signature nonce collision.

Here's every address that has been exposed from genesis through block 253081 ... obviously only a few of these are due to blockchain.info:

121Zna8Dy9W2qDvsJEH2ALeHQkteXaeGng
12CkZeZvwDwiTvFm5H8bABpEqQHXJ6gWc1
12JDjmk2fGMPRK9GaT98vBFDc3MDHoPV9r
12RFNoJK2MSiWfXt3fFG7F4urUpLGnTBxh
12WhvZTWMv9XLfyM2g7XFSUgpwzuQUX5Mq
12a7gpjZDQBDhVSknfQzL3ygcASNQcocnd
12c1XuVdjQwyftTbqnWMT94CYW6vKFknwm
12ekVy8duhBMLGd1JhxcgxrTN1fchmVcTo
138VcLyoAb5sdjo3cDw7d14fUGLKRwQ9VK
13CWujDi4g6DWB9bWDXT3TfRU635NPJdPF
13GXRxeyR9UTDQojZYv9NZ1j3VA6Butc9U
13LRBbvgCSXsUs4JNmYhzHRo3re8vYVDid
13ds2bCrxe68w8WD4R7bWSjGq4uK7XbzWH
13fZF8aZcSjpxhukHkyVtHsLnPnVszQaLm
13oCG1VNMAGtNp9RcAmUieRf8NayAJ7xj7
13x6i5itrvR8Rf75xP8PZaPtNTNxZLReLe
143CugrdSngLmDaLWoLrWJzb4AU1xLMqoY
1494Wwkf8QN4nC3gSYz3qjZVNuVZSHw2zi
14FguDL7teNFCctazjUxCxCfZtssycq11h
14RJsWTjq9q2a9tNQSdpxbMaViWoXxRbjt
14ih1qxbcFmwLm8Hc7qTr3BhzdmWTWRmpC
14reTqqg8r4qriHozsYoydugzLjYtpVoMZ
154nELZtftuW951oQY7erHnN4L196c98Wp
15E8CUjvHDVj8mBzhkNHErXtz4AeEHycpH
15GieELLKTruUdzmTDVYP1TsjnzNRDg8Qa
15p65cNbtB3bQYf9GB78edRo5Ppux3uaU3
16He3EDsvTKYRSQGsZeoooTbYAjy9fiLoQ
16NCxA48LPKdSr5fACPnrLxgkrFnDJAzLp
16SchApeKZEc86CVJCc1vLQ17TEJCRJNef
16UkUnbqW8PXRrwgxRdb2UTivbgNnBYqwC
16io8zfbhStqe9WVdHN3JLzc29D73okaoy
16y2wAieZE9VknMK29J7EAhC8fmRtdLy8p
17AHXAodFQ33A4DqFENVHCG59qiaRNbhcq
17HHdLh4oXncuTejALwC6fgArVqPUxh2Sr
17Lq1nrktyEFV3AVPAbsbDXWuWoUNMhws8
17Vjk88w6fy5YRVUGD6Aa9w545UA6K4tYZ
17gDnz5TU8T16Pgzo93M7Dm1j5HS3UuS2Q
17sDdDiW2dNRQvTu2NkwwCbfXNFxVCpbZW
18KZdcnGaqaXnHiRPb8rVGCztyA4jJPKtS
18mmzMizs5CHtLJwchtPMuiYqVqWjw3rLe
18pqzCLA17hdnzxFnf5Cad2feA1RHKtW2P
18yDksipyvWEX14KTd4DHvj6ZDcXvNqtpB
196SL6bZEvBT8A9z46df54zE3rzZfXzwe8
19DcmnrhqpLgn8L6Exay1sJiKZPtYUAw1Y
19cRkXQfonjdJT9K8TMuDxV1PKLSdHZtPh
19qnLpn9it7csR9sEay1XrFyfAmUNoXYk4
19yCy4mFWJVsdJbgtG79VwHGxQpcx4uhcr
1A8TY7dxURcsRtPBs7fP6bDVzAgpgP4962
1ALsXt19tBxMr29WfM2Zd7EU8HwzooLGHx
1AgVauV4U1tt3KbRiehht56NoZeKprLUXe
1AnFEpvs8a41T3ZpfPtXBENvkL5oatQ64D
1AyTNQRvz6fo7EvebGpKfJB7jJeppxY4yc
1B8vhS5umMNKvwQFHJ3Hgres4NJeoe8U7Y
1BFhrfTTZP3Nw4BNy4eX4KFLsn9ZeijcMm
1BMzWp77j7x3GKDYNbCP3df7YG3UEw1vVE
1BRwmguCycCWSbueTcpn1vSJddMJXEhyjH
1BvQyALiTSgKwVYzDL3ANoqmdWaoyRZazS
1C3G6y8Cyi7ECDaaDhG34sLzrv1dd7Xo33
1C8x2hqqgE2b3TZPQcFgas73xYWNh6TK9W
1CFVxqxX3i9L9dm6Gw2QKJ2fH18HSJ9H8k
1CNHzFKNCkCwYecVUfmahmqDFrn5uuRzsU
1CRcBxVoXCqL7cEiq7b7rTYQyMhUrCu5Mf
1CozShbCQwFqa3iw2AUE3zn7Pp1f3HR3D
1CqEdApNprZzgqUsuyLocXKH5yMdFTnTJQ
1CxZGXpNLDmr7eDmgMiGc1n1gAyE6LKBig
1DHmu7BvzjpQQxbKEuqTU2zSvZmgZBBrne
1DQK1Xb1gKBRXLi4PEegWCZ1giELgBqhq7
1DWhHeTnoZAFPehoM1W6S37hn7nVjZLrQN
1DY5YvRxSwomrK7nELDZzAidQQ6ktjRR9A
1DcNJeexQV2kM78AdMKSzmsQ8DeNMHLTJ1
1Df8hDiS6RSeu9WDUqUtBpBmBoepzo24pD
1Dka5AAYwdZkrPJZHjKmdZkaVATnwYeSqG
1E67dSKMyrEoqfAjSsE1SNpeeau4pmyc5j
1E9ffsnXjMnZxmJaqCLXWhqWzKqx1sZXP9
1ECvZ9ojebv5TVWySf2roXRP4XyQb5rNCy
1EFET6LSLabV5KR55XqRzzhQ1rBUGTD1SQ
1ENrnLCxp9srcWCCE3kQFNqHRGDijespb9
1EPXZfTX6TD3L7TQdRu2nqMT8mrAAPSTST
1EUDdSvFGmZCa5zUXSXFSQD7r2qBZaSWJU
1F48AGnDGLBbDr5Uk7DfUhrhe8U14eHKaH
1F9tB2p9NWsGEt1TjiGAa3WEEGs9Wc779R
1FPSVbypWa7rBWbciKHJ983YWcucBn7aUQ
1FPgs8ZaxXUAp61jkd53U7zWj9NQq8yM34
1FX2xLHNxcT77bxLZXHzet6e8kMSS53uDK
1FY4Ny2ZTvDGDHshB1Rpp5Di9x6Q9GVd5a
1FYXLjfFJ1qsngiArLsrBVEGRaKkV15FGV
1Fcj89eqk1xCe6PqkMpaUuWCaK7MUXeYbZ
1FwbYs6UL2fzB9crvhWNCZyr9oqNjEXzcu
1FxWoGvwzjWGKk69vFumyoBaUCqzsndVck
1G3BjSLWsWH6tbPYs29fYMYaz9k8EStQM
1G4TqNcKTRRuQ3brQSv85Fohf3jQiaGAbL
1GTFFqbHGp6xwcKVmLkbLqHiauUbKT7jxs
1GUqD7UATGzbEBrMjweP5GCTQeU51TsZbj
1GYRDPaCm3hrzUcgfT49w7mcvoQu2Y4MmX
1GjDS84eNBx6QQoo7dBddvgYArSttxLYdk
1GysfXJbf5FREeJetrwuANNZi8pcz4n1v6
1HWEyVbuyPmXfR9eBnrh4v2Npjnp9UJQCw
1HWYEGYNgVc7bc28RCAa8mCJPv9eEnHieR
1HXSnvNGK8oYQCyLDkpHNZ2sWPvFsYQcFU
1HmJh2b8iS64WgX5snSzKYrNXqbnKkuBvE
1J8THH46JdkjiGYLQyPQDHVk4gtftahDUx
1JCMAUG9P8X4PHM7rF4ywDFHaAK2FMRrkN
1JFMHv7ijwXDQYQrehhSxn6u9bTfkGCmK
1JNC3iaxA95NbWrSro5me2BM27wohuucKD
1JNMvqdUYP9eDR3mEkxxCne4BYabc93Nwh
1JZ5NjZCDrnj84mZnv2fuAmAb7w4v5LiEu
1JjcWuJDRNkw3XcMfE7khhRg1UCxU8eKua
1JmMcWWy1mFuubbsBRPuVXdjFdtM2ENJXE
1JnqZ6Djhncs9YHe74CbkLaXXAbA1phsTU
1Js2D8Fj1AWQ2aB7TMtmJ6rn4bYDFtcjgF
1K5CgovB1c4vX22MvUq8cfRsuctG86Jmx5
1KSFgqcm6mc4Aaq6EsR6Awfr65S6RmVeHh
1L8DFt7yYA3iZsr6RA3d1mpf4J7TgBsYF
1L9a8dXMgq2xWV1zaDUGje2FAbzCG18QQh
1LKu5b7jUoM7MJzeuTCmvDWsJrBgBhcvhb
1LnBTt9TYRMt4aABcDYSoaMQ9jV8Qgajkx
1Lr9tUFz4mypFzc3PYitgGU1dTg21ubM9p
1LspNcTjkzFQRrsr4iGGxD5RSKehB5fHnA
1M5edBFjjFJhQhgSuCUQnX3uytcskgnqQB
1Mjwi2LnE6oz3p8dNFXWgMpAPBs6ZpPPA2
1N2aQiQ5LjNQ3C3cKCmHHnnq65RH3zRD9B
1NCRgUAgJnzBGcLNX7iQD1d9Cn9ZyKF2PC
1NEb41nDgxWwVzhHSsk4obURJ13KauJRsF
1NRtYCGVo2vR7WmYVussK6sVva2wZsYTep
1NSLj5xdCyRmMYVtM7bwZxZarYLm6EGZJf
1NSnZPRR32mrfAADxNJcPRP647gseqEMyj
1NuSEboWF7YJ3bozo5H1JDpH5yc7zyHZm8
1NvfCyqRh6cuh8dCQDJmboriifg1eaYDnV
1PUv3XNWWCDmEK6o9VerPK81qVfo4Wtvv2
1PWTFonhiXCdTZ4Nd2J726rqWnNsTVeVMY
1PXU5aD3fzgAm2E56o2VSaHpVe4bhe3d2m
1Pbt1LGM2JNgMjtnEscEmntsSrcYofeaoa
1Pde4CbEitkdPiwwKvd6s3znWw7EXZMYjD
1Pq6Ygv3kdMVX2TdNhUSPadxaShiGJUAoS
1YWwSaXTESKgDpitb6Rp8bteXzUR6hjDg
1ZBRXLZEzSukVDEDDJjtHYmrpkEGH94nS
1kJwZbv3dhUowPyRHcxJMknoJpPYfwaGf
1kMEr9W4YeAnzFcuSWwj3ShYGANdLHSxG
1szVke6ThJtfdUTi6Y5AAMDMePM4Ha8vK
1yiQRuB3KRxZTrSHBNZK9NdjbyJskHiVs

Jesse James, you missed a few addresses:

16mWzkk6iznyJQ3sKQRYxQ1Zr8xWpGMFWi
1B2wqabcETtQxPuacB5whni7GUjDn1oQQX
1BH4hyBMH8NoiscwiPngP23fVNN8wpJwrT
1HRhPdTXhTDMTM8C9C3Y8FGD1EKszkPGv
1K5XZhjCwbLYHwys86FvepaHt6tFiWb35T
1LfuyRkm9MrEXTz72hzpPsL46mzHEXfqWj
1MmE9r9QTN2GnP1TF7JhZSKPsubuXguJkb
1NujNX3cvbikAZMnKtETgSd7kvw7o93MRg
1PCrHhXxS8ZotDvgSA5WxpmtC1qNQchrPr
1Q4VVTsx6vgYth7iD9WnAgHvAj239PMaoL
1rPAkJSXWgnLFEiCzv3APUFLsi8Kzv3pX

Only one of these addresses is very recent.  Maybe my script finds more keys, because I also catch an addresses when the R-value was used only once as long as the same R-value was used on another address twice.

Moreover, the two addresses 1Q8eetJs5wRpqR3b5FT9EHe6GD8Bges9Hm and 195Tycz7nVhV7aKw98nq74FdVYtyYyE1K7 are endangered by this transaction:
https://blockchain.info/tx/127da3144a02f16e1a5ccb67778a2f5f9924023ce9aa20c1c4d08be576cbb0b9
I think it is not exploitable but as soon as one of the private keys is revealed, the other is also revealed.

Jesse James,

While I appreciate your efforts with this,  I think deleting the reply to johoe is more questionable than the way you replied..

I don't follow?  My reply simply acknowledged I had overlooked the cases he pointed out.  I deleted it because I thought it prudent to double check his additions first.

I reran my script to try to catch the special case you mentioned but oddly was only able to confirm a subset of the ones you reported.

1BH4hyBMH8NoiscwiPngP23fVNN8wpJwrT
1HRhPdTXhTDMTM8C9C3Y8FGD1EKszkPGv
1MmE9r9QTN2GnP1TF7JhZSKPsubuXguJkb
1NujNX3cvbikAZMnKtETgSd7kvw7o93MRg

Checking my logic ...

Edit 1: My bad ... I think the discrepancy is caused by my parser ignoring transactions with non-canonical signatures (which stopped being allowed a while ago).  

On an unrelated note I also just checked if there was any overlap between the set of signature r-values and the set of public key x coordinates ... ∅ ... if there were any that would have indicated the potential for more RNG issues.

Can someone explain where the source of this issue with the RNG came from?

Was it the RNG in:

1. Blockchain.info's browser plugin code?
2. The Browser's code?  (Firefox, Chrome, etc)
3. The OS itself?  (Windows, OSX, etc)
4. Something else?

Thank you for the clarification.

My account was hacked on Aug 1st.

https://bitcointalk.org/index.php?topic=266500.0

Someone was able to empty out my blockchain.info account.

Transaction id here:

https://blockchain.info/tx/1174e27cd6de043ec081a68b52f455ba1548f35949c2ba2ddd3abc60f5a29840

I've found no evidence that my email was compromised, and was using two-factor authentication at the time.

How can I determine if this was caused by the rng exploit?  I was using Chrome at the time.

Thanks!

This is quite important information, and it immediately makes me question the security of bitaddress.org generated addresses, anyone with more knowledge about this care to comment?

I've just locked out 7 BTC yesterday while fiddling with blockchain.info app on iPhone. Their database glitch forced to reenter the password, which blanked from my mind after several months of cached usage. I did a mistake by trying too soon, would I have waited for a few hours for service to come up, the cached password/database could still work. I felt this may come some day, just the timing was quite nasty.

What I have left now is AES encrypted blockchain.info wallet, and there's a hope to crack it via dictionary with bits and pieces from my memory. If someone already had an experience with bruteforcing it with speed optimized solutions would you please share the know-how?

Actually I like the blockchain.info, it's so far one of the cleanest services out there for small transactions, just some additional safety net in these cases would be a great thing.

Try this service
https://bitcointalk.org/index.php?topic=240779.0

I was referring to the fact that you posted the reply as hyperreal

 :D

"Conversion, theft and unjust enrichment."
-Msantori

I applaud you, Blockchain.info. Great service.

Hello, my blockchain.info wallet was cleaned in April - back then there was a wave of stolen coins but only a speculation about the reason having to do with the alias and offline copies.

can someone check my old address / transactions with the script?
https://blockchain.info/address/1N2ctCxet8zjeyQMQngfmkvC2h9qzF3c6k

Back then I used to do alot of outgoing transactions with Blockchain on Firefox..

Jesse James. I'm so sad. I lose 263.84btc total from 2 difference address in blockchain.info on 29th Aug. 2013. Details Please check  https://bitcointalk.org/index.php?topic=277601.0

Can you help me to check it's because of bug?

@watertech666: Sorry for your loss.  However, neither of your victimized addresses 1 (https://blockchain.info/address/1CzAncjXYjtiXNC4CNAw4RoKdQLoi72xn) 2 (https://blockchain.info/address/1Mq2Q1BMicK4ECE6GNR6mDTPdkxwxDe3mc) appears on my published list (https://bitcointalk.org/index.php?topic=277595.msg2974140#msg2974140) nor in johoe's additions to it (https://bitcointalk.org/index.php?topic=277595.msg2974983#msg2974983) so neither of your addresses was specifically effected by the repeated signature nonce issue. 

Also, it's clear the thief knows the private key for 1CzAncjXYjtiXNC4CNAw4RoKdQLoi72xn (http://blockchain.info/tx/8b382a9d47e0e561f3e1d281803ae8b4203e3aeee61cb972d9067985efa4d850), so you should remove it from your forum signature.  He could steal from either address in the future at any time.


@Aajo: Sorry for your loss as well, but your victimized address is not listed either.

@Jesse James
If there are any possible? I keep 4 backup file in same fold. 2 address lose and 2 address still there. And I use 2 FA. If thief stole backup file. Must 4 address all lose. Am I right?

That is very good of you. I feel very comfortable using blockchain.info. I think google should refund all affected users too.

Interesting that this is going further than the android problem. Perhaps someone should update the announcement to include refreshing the blockchain.info version.

Are blockchain.info paper wallets with already signed transactions in Firefox vulnerable?
How can we check?

It's hard to speculate.  Assuming this is due to a stolen wallet backup file, it would make sense for the thief to sweep all addresses in the wallet simultaneously.  However, you don't know how many keys were in the wallet when the thief may have had access to it ...  he/she might have waited a long time for funds to accumulate before swooping in.

I did some transaction following and it appears your thief is accumulating loot in the address 1HackerRpwYH7F6uGu8422dScNxaHAtWYz ... which currently has 647 BTC. 

Which apparently donated some here?
http://www.btcfans.com/donate

I had my Blockchain Wallet drained on aug12 I posted about it on the forum.

Can someone tell me if this wallet was on the list

1Cqfi7gKrbGgQuWNpGrziDzmaNoY2cGGjV

I don't use that wallet anymore and am worried about using Blockchain.info until I know how my account was drained while I was logged in and how someone else logged in to my account from Australia at the same time without my knowledge.
 

I simply did a search of this entire thread and no, this address did not appear on any of the lists posted in this thread.

So, unless your account was drained after block 253081 it does not look like this was the method used.

Thanks for doing that. I'll keep digging. Having not had anything stolen before online, this theft has made me very cautious of bitcoin wallets, its clear they are not safe and while you could have any sort of online account broken into, its coloured my view on the safety of bitcoins for the average user.

If only they'd refund other bugs as well^^

We also had some coins stolen, and I would like to know how I can find out if it was due to this blockchain.info security flaw.

In fact the attackers took only 4 BTC from us, but over 200BTC from several other addresses. So I'm pretty sure there are many other victims out there.

See these transactions Hacker https://blockchain.info/address/16oP8up3f8ePer1vfBPhypRqkUnsA9ZfYM

See more details here:   https://bitcointalk.org/index.php?topic=246328.0 (https://bitcointalk.org/index.php?topic=246328.0)

We would appreciate any help corroborating that it was indeed this security flaw that was to blame.

Hello,

I just reran my script and no 1cup addresses appears in the list.  So the cause is not a double R-value.

The fact that all addresses were compromised at the same time suggests that someone got hold of the private keys via breaking into the server or some other computer and got hold of the wallet.dat or the output of the vanity address generator.  I see that you still advertise these addresses.  You should really change them as it is quite likely that they are compromised.

Here are all addresses that were compromised since mid-August due to the double R-value bug:

12RqykuRC9esWxtJL3T9WiwsPb8gdPpdDR
17AHXAodFQ33A4DqFENVHCG59qiaRNbhcq
17YujH47nJqYDF91P9GfKbQYap9MdQP7cS
19qnLpn9it7csR9sEay1XrFyfAmUNoXYk4
1HgRa96fuHCde6Rie4nwhaz1hZR694X4wj
1M7UUR1QhTMwoEiVVWf88Dy4in23RjYdic
1NSnZPRR32mrfAADxNJcPRP647gseqEMyj
1P3wCaQNk438cXKsC2YYvpecWa6kZKGCKC
1PCrHhXxS8ZotDvgSA5WxpmtC1qNQchrPr

  Johoe

Just had a similar problem! 10 BTC ripped off from my Wallet without my consent! Please Help!
https://bitcointalk.org/index.php?topic=373612.new#new

I just got 16 BTC stolen from Blockchain.info


I learned my lesson.  Never using Blockchain again.

This isn't looking good.I think now would be a good time to find a local bitcoin wallet for my android phone (as the only one I have now is blockchain.info at the moment) that works whereas the official android wallet seems to make my funds disappear.

Maybe that's what my mac's for,store them away from online services.Any options?

We need better legislation for Bitcoin theft. Unbelievable how much dirt is out there  >:( :o

Similar to horse theft in the Wild West, which was so critical that capital punishment was the only way to go.

I suggest something like Sharia or Codex Hammurabi.  >:( >:( One finger cut off, per Bitcoin stolen, is a good start.

Scum of the earth scammer dirt, will have trouble typing with their hands cut off.

Hi I know this is an old post.  

I just found the address that stole the bitcoin and laundered the money.   They stole the bitcoin and spit up the coins into to address (mixed the coins) then merged back into 1 address later down the blockchain.

• Bitcoin address the assets were stolen from was 1376AFc3gfic94o9yK1dx7JMMqxzfbssrg  and went to 1AkcY9NLEBH8Esyxwnwu9HiFQaSUjfDooa.    Here is a visual node diagram - https://blockchain.info/tree/51585845
  Bitcoins were laundered and then merged back into address 1L7YRcL9h7tc5B4gWKikdz7UvwrxtBDPWp
  The coins were then transfered to  1BGZohKS9QboP9gwCs4jw7vUXEvyPEs3FL  on 4/14/2014 where they stayed until   2/24/2016..  After that looks like this one person started profit taking of 10 btc converting into fiat.

I just need to found out who owns 1BGZohKS9QboP9gwCs4jw7vUXEvyPEs3FL.   Should be a depositor address at one of the exchanges.  Looks like 1L7YRcL9h7tc5B4gWKikdz7UvwrxtBDPWp was the hackers person wallet address.

My funds too went in a similar way. It got stolen on 7th June by this address: 1PTKJsu66KFAYmaKTFv7h9d38enhtdxdCf  and then was sent to multiple addresses which I was unable to track and the final address had some 10 btc in it from multiple addresses (including my coins). It was about 0.057 btc that was stolen. Anyways to track the hacker?

Well this is a blast from the past.

Is there any way in this modern world to identify who might have done it, I want my BTC back :(

I think It would be a good idea to tell us what exactly happened. Have you been unable to access your account, like it has been the case with some other members lately? Was there a security breach in your account that lead to the theft of funds?

Did a little mining back in the day, woke to an empty wallet, then gave up on btc.

I have access to the wallet & I can prove ownership by other means.

I just want to know if locating the person may mean I can get something back.

It seems we know where the final destination was, wallet wise the last I read.