Title: WTF? 1FYMZEHnszCHKTBdFZ2DLrUuk3dGwYKQxh [bc.i] Post by: amaclin on December 10, 2014, 10:51:53 PM Look to https://blockchain.info/address/1FYMZEHnszCHKTBdFZ2DLrUuk3dGwYKQxh
Do you see outgoing transactions from this address? They are unconfirmed and can not be confirmed by other nodes Because 1FYMZEHnszCHKTBdFZ2DLrUuk3dGwYKQxh - is a hash of hex ( "00" ) You can see that scriptSigs do not contain public key, but only OP_FALSE instead of it In fact this is not OP_FALSE command but OP_PUSH ( 00 ) So, these transactions are invalid. But the attacker can "send" coins from this address to other users of bc.i And this can create a long chain of never confirmed transactions, because bc.i service allows to spend unconfirmed coins Does bc.i verify signatures at all? Title: Re: WTF? 1FYMZEHnszCHKTBdFZ2DLrUuk3dGwYKQxh Post by: gmaxwell on December 10, 2014, 11:39:16 PM ::Sigh:: Again? https://people.xiph.org/~greg/21mbtc.png
Really the limitations of the security model for that kind of wallet only start with the JS substitution/injection attacks. The fact that even if the software is perfect it depends on honest data from the server... You can rob someone just as well by making them think they've been paid when they haven't been as you can by stealing their private keys. |