Bitcoin Forum
October 22, 2017, 07:48:02 PM *
News: Latest stable version of Bitcoin Core: 0.15.0.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Possible security issue with blockchain.info (plaintext password)  (Read 530 times)
pminers
Newbie
*
Offline Offline

Activity: 21



View Profile
October 20, 2012, 06:53:48 AM
 #1

Guys who plan to use blockchain.info online wallet please consider:

Hi blockchain.info support,

i wrote a mail complaining a possible security issue to you on 12. Oct and got no reply so far.
Therefore i will post the answer here and hope to get feedback soon:

"In the qr code for iphone device pairing the plaintext login password is contained. this is (in my opinion) a possible security issue and it makes me nervous because this means that my login password is stored in a way which is decryptable ( normally i would have expected that the password is stored as a salted hashvalue). so please can you explain."

Kind regards
-pminers


https://bitcointalk.org/index.php?topic=40264.msg1285194#msg1285194

1508701682
Hero Member
*
Offline Offline

Posts: 1508701682

View Profile Personal Message (Offline)

Ignore
1508701682
Reply with quote  #2

1508701682
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1508701682
Hero Member
*
Offline Offline

Posts: 1508701682

View Profile Personal Message (Offline)

Ignore
1508701682
Reply with quote  #2

1508701682
Report to moderator
1508701682
Hero Member
*
Offline Offline

Posts: 1508701682

View Profile Personal Message (Offline)

Ignore
1508701682
Reply with quote  #2

1508701682
Report to moderator
1508701682
Hero Member
*
Offline Offline

Posts: 1508701682

View Profile Personal Message (Offline)

Ignore
1508701682
Reply with quote  #2

1508701682
Report to moderator
kgonepostl
Full Member
***
Offline Offline

Activity: 124



View Profile
October 20, 2012, 04:55:21 PM
 #2

plaintext? REally?! Not even hashed? Let alone salted hashes!
FAIL!!!!!!!!!!!!!
Maged
Legendary
*
Offline Offline

Activity: 1260


View Profile
October 20, 2012, 09:25:26 PM
 #3

Of course it's plain text. Everything except for the storage of the wallet that is encrypted with that password is done client-side.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!