Recent breach at Blockchain.info -- Android App did a stupid.

[Cryddit]

  http://www.theregister.co.uk/2015/06/01/blockchain_app_shows_how_not_to_code/
  http://arstechnica.com/security/2015/05/crypto-flaws-in-blockchain-android-app-sent-bitcoins-to-the-wrong-address/
  http://dillingers.com/blog/2015/06/09/ce-random-numbers-and-response-parsing/

Short version of the story:  They were getting "Random" numbers over HTTP (WRONG!) from a third-party (WRONG!) to initialize a PRNG and generate keys (WRONG!).  

The third party - random.org in this case - discontinued its HTTP service because, well, random numbers over HTTP is WRONG!

But the clients Blockchain.info had deployed for Android didn't parse the response to see whether it was an error message; they just read the "301 service permanently moved" error message and treated it as a "random" number.(WRONG!)

This left all those Android clients initializing their key generators with the same not-very-random number.   And for some of them, where the sole other source that they attempted to use failed, that was the ONLY initialization.  

The result was that all of those clients generated the private key corresponding to 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F and sent bitcoins to it.

And somebody who noticed a whole lot of coins accumulating at "his" address, spent them.  

" There are more ways to get security wrong, Horatio, than dreamt of in your philosophy. "

[1715206332]

1715206332

[1715206332]

1715206332

[1715206332]

1715206332

[1715206332]

1715206332

[jbrnt]

If these stories were true, Blockchain.info has really messed up this time. I have the wallet on android (not 4.1). This could easily happen to me. Lucky I have never created new addresses on android, only send and receive on mobile from addresses created on web.

[achow101]

This would explain all of those threads about the 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F address which people were claiming that their bitcoins were stolen.

[Cryddit]

This required an UNBELIEVABLE level of ignorance or wilful stupidity to achieve. 

I mean, hell, the minute I hear "Random numbers over http" the deal is already broken.  HTTP is not private and has no message integrity.  Middleware intercepts and rewrites HTTP all the damn time.  Your message could be tampered anywhere along the way!

The http service shut down in January.  Blockchain noticed in June.  Wouldn't you think that if your security depends on a web service staying up, you'd at least write a script that would tell you within, say, 24 hours, if it went away?

What does it take to not notice the difference between '200 OK' and '301 Service Permanently Removed' responses?  Seriously!  How could you possibly write an app that wouldn't notice that!!

"PRNG initialized from only two sources" -- another deal-breaker.

And then, when it tries to read one of those sources and fails, it fails SILENTLY?  What the HELL?

I'm just ...  I can't.... wow.  I didn't think that level of ... whatever it is .... was even possible.

[achow101]

This is really stupid of them. This is also why I don't trust third parties, they usually screw something up. I personally use Bitcoin Wallet for Android by schildbach and I rarely keep any coins there.

Also, has Blockchain.info fixed the problem with their app yet? If they haven't then a malicious user could try to generate that address and steal Bitcoins.

[Melbustus]

This required an UNBELIEVABLE level of ignorance or wilful stupidity to achieve. 
...
I'm just ...  I can't.... wow.  I didn't think that level of ... whatever it is .... was even possible.

Yeah. That was my reaction too. I code more defensively than that for free consumer web-apps that have nothing to do with money or sensitive data.

It's sad to see Blockchain blowing it like this. They raised $30M and have a team of 23. WTF have they been doing?!? Not only are they apparently 1) Not hiring the right people, 2) Not implementing any sort of code review over critical systems, 3) Not implementing any sort of reasonable testing procedures for a financial product...., but their overall product suite is essentially the same as it was >2 years ago when the entire company was basically just Ben.

I've been hugely disappointed in Blockchain over the past 1-2years.

[Muhammed Zakir]

I was in the middle of writing a breakdown of what went wrong, but you've beat me to it.

Basically, they have a LinuxSecureRandom class that's supposed to override the standard SecureRandom. This class reads from /dev/urandom and should provide cryptographically secure random values.

They also seed the generator using SecureRandom#setSeed with data pulled from random.org. With their custom SecureRandom, this is safe because it mixes the entropy using XOR, so even if the random.org data is dodgy it won't reduce security. It's just an added bonus.

BUT! On some devices under some circumstances, the LinuxSecureRandom class doesn't get registered. This is likely because /dev/urandom doesn't exist or can't be accessed for some reason. Instead of screaming bloody murder like any sensible implementation would, they just ignore that and fall back to using the standard SecureRandom.

If the above happens, there's a problem because the default implementation of SecureRandom#setSeed doesn't mix. If you set the seed, it replaces the entropy entirely. So now the entropy is coming solely from random.org.
And the final mistake: They were using HTTP instead of HTTPS to make the webservice call to random.org. On Jan 4, random.org started enforcing HTTPS and returning a 301 Permanently Moved error for HTTP - see https://www.random.org/news/. So since that date, the entropy has actually been the error message (turned into bytes) instead of the expected 256-bit number. Using that seed, SecureRandom will generate the private key for address 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F 100% of the time. Ouch. This is around the time that address first appears, so the timeline matches.

I haven't had a thorough look at what they've replaced it with in the latest version, but initial impressions are that it's not ideal. Not disastrous, but not good.

Unfortunately, people still use this wallet after many careless mistakes from Blockchain.info.


@OP: Could you please add '.info' after 'Blockchain' in the title?

[Cryddit]

@OP: Could you please add '.info' after 'Blockchain' in the title?

Done.  I'm still boggling over this.

[tspacepilot]

This would explain all of those threads about the 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F address which people were claiming that their bitcoins were stolen.

Not just could, it does explain those threads.  @Cryddit, you're right, it's quite mind-boggling that a site as reputable as blockchain.info screwed this up so completely.

[jl2012]

This would explain all of those threads about the 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F address which people were claiming that their bitcoins were stolen.

Not just could, it does explain those threads.  @Cryddit, you're right, it's quite mind-boggling that a site as reputable as blockchain.info screwed this up so completely.

Reputable? In terms of their track record of fucking up?

[tspacepilot]

This would explain all of those threads about the 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F address which people were claiming that their bitcoins were stolen.

Not just could, it does explain those threads.  @Cryddit, you're right, it's quite mind-boggling that a site as reputable as blockchain.info screwed this up so completely.

Reputable? In terms of their track record of fucking up?

Obviously reputable is a matter of interepretation.  But for me, the fact that they're probably the longest running web-wallet service not to be completely hacked and lose everything says something.  Also (and again, this may be just due to their longevity), I think they're the go-to block explorer for most people.  Kinda like google, they may not be the "best" search engine, that's a matter of debate, but many people equate search with google.  I believe that many people equate looking something up on the blockchain with looking it up on blockchain.info.

So, I guess I don't know a lot about their fuckups, and I don't use a web-wallet anyway (for security purposes), but yah, I had thought they were reputable.  Presumably, I don't know the whole story.

[achow101]

Obviously reputable is a matter of interepretation.  But for me, the fact that they're probably the longest running web-wallet service not to be completely hacked and lose everything says something.  Also (and again, this may be just due to their longevity), I think they're the go-to block explorer for most people.  Kinda like google, they may not be the "best" search engine, that's a matter of debate, but many people equate search with google.  I believe that many people equate looking something up on the blockchain with looking it up on blockchain.info.

So, I guess I don't know a lot about their fuckups, and I don't use a web-wallet anyway (for security purposes), but yah, I had thought they were reputable.  Presumably, I don't know the whole story.

I would not use their web wallet ever. They have had some fuck ups in the past. One I remember is an issue where they were using the same R or S (I don't remember which) values in the signatures of all transactions sent by them. This led to some user's Bitcoin's being stolen.

[RocketSingh]

Damn. This is ridiculous. Why did they need to call random.org ? Does not an android phone provide enough entropy ? I think, if phone location (lat, long) is used along with phone number, then better entropy can be created.

Does anyone know how blockchain.info generates the random number for an address while we create it through browser ? Do they call random.org there as well ?

[Muhammed Zakir]

Damn. This is ridiculous. Why did they need to call random.org ?

To get increased randomness.

Does not an android phone provide enough entropy ?

-snip-

Basically, they have a LinuxSecureRandom class that's supposed to override the standard SecureRandom. This class reads from /dev/urandom and should provide cryptographically secure random values.

They also seed the generator using SecureRandom#setSeed with data pulled from random.org. With their custom SecureRandom, this is safe because it mixes the entropy using XOR, so even if the random.org data is dodgy it won't reduce security. It's just an added bonus.

BUT! On some devices under some circumstances, the LinuxSecureRandom class doesn't get registered. This is likely because /dev/urandom doesn't exist or can't be accessed for some reason. Instead of screaming bloody murder like any sensible implementation would, they just ignore that and fall back to using the standard SecureRandom.

 -snip-

I think, if phone location (lat, long) is used along with phone number, then better entropy can be created.

Most users' doesn't allow GPS connection to apps like these and also some users' doesn't want to expose their phone number because of privacy concerns. They may give access to these if everything is stored/done locally but Blockchain.info is a web-wallet.

Does anyone know how blockchain.info generates the random number for an address while we create it through browser ? Do they call random.org there as well ?

I think they only call random.org in Android for increased randomness.

[tspacepilot]

Damn. This is ridiculous. Why did they need to call random.org ?

To get increased randomness.

Right, but that is patentenly ridiculous (imo).  If you have a device with a radio, a gyroscope, a wifi-antenna, a java-random-number generator (that was recently hardened for use with crypto) and then you decide to make a call to a website to get a random number, that seems nuts.  What's even more nuts is that they weren't getting back a random number but an error page and somehow they weren't even looking at that.  It's pretty shocking.

[Muhammed Zakir]

Damn. This is ridiculous. Why did they need to call random.org ?

To get increased randomness.

Right, but that is patentenly ridiculous (imo).  If you have a device with a radio, a gyroscope, a wifi-antenna, a java-random-number generator (that was recently hardened for use with crypto) and then you decide to make a call to a website to get a random number, that seems nuts.

True. They could just do like Bither do.

What's even more nuts is that they weren't getting back a random number but an error page and somehow they weren't even looking at that.  It's pretty shocking.

The worst thing they were not using HTTP to make the webservice call to random.org. On Jan 4, random.org started enforcing HTTPS and returning a 301 Permanently Moved error for HTTP. So from that day onwards, the entropy has actually been the error message which turned into bytes instead of the expected 256-bit number. Using that seed, SecureRandom generated private key for 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F. When will they learn?

[Grand_Voyageur]

=snip=
The result was that all of those clients generated the private key corresponding to 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F and sent bitcoins to it.

And somebody who noticed a whole lot of coins accumulating at "his" address, spent them.  
=snip=

This "someone" really got a winning lottery ticket. 34+BTC are really some nice bucks.

[jbrnt]

If you have a device with a radio, a gyroscope, a wifi-antenna, a java-random-number generator (that was recently hardened for use with crypto) and then you decide to make a call to a website to get a random number, that seems nuts.

I have always used a blockchain.info wallet and was quite satisfied with it. Their sloppy coding is not giving me confidence to use them anymore. It's money at stake here and some users, quite unwisely, have their life savings in bitcoin stored on their wallets.

I have been postponing my purchase of a hardware wallet long enough. It is time to give it more thought.

[tspacepilot]

=snip=
The result was that all of those clients generated the private key corresponding to 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F and sent bitcoins to it.

And somebody who noticed a whole lot of coins accumulating at "his" address, spent them. 
=snip=

This "someone" really got a winning lottery ticket. 34+BTC are really some nice bucks.

I suspect there are several such someones and they must basically be in a race to see who can spend first when money appears in their address.

If you have a device with a radio, a gyroscope, a wifi-antenna, a java-random-number generator (that was recently hardened for use with crypto) and then you decide to make a call to a website to get a random number, that seems nuts.

I have always used a blockchain.info wallet and was quite satisfied with it. Their sloppy coding is not giving me confidence to use them anymore. It's money at stake here and some users, quite unwisely, have their life savings in bitcoin stored on their wallets.

I have been postponing my purchase of a hardware wallet long enough. It is time to give it more thought.

If you're just trying to set away some coins for a future date, just generate a secure keypair and print it out.  You don't need computer hardware in order to keep a number safe (just my opinion).

[jl2012]

If you have a device with a radio, a gyroscope, a wifi-antenna, a java-random-number generator (that was recently hardened for use with crypto) and then you decide to make a call to a website to get a random number, that seems nuts.

I have always used a blockchain.info wallet and was quite satisfied with it. Their sloppy coding is not giving me confidence to use them anymore. It's money at stake here and some users, quite unwisely, have their life savings in bitcoin stored on their wallets.

I have been postponing my purchase of a hardware wallet long enough. It is time to give it more thought.

HW wallets are not mature and may not be as secure as you think: https://bitcointalk.org/index.php?topic=1022815.0;topicseen